354300x8000000000000000368908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:27.117{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5039D4E2C771FB9FD505B4FA6048D597,SHA256=CE07AF810F0487D85F89C110723B257D955959A36D0358A12529E40735E583FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322729Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.366{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C1A084B9533AB76854B2C19E9EEC2D18,SHA256=BE1B419DBCAE528895AC3BB74F96BA229F4BC481D4886C405CB80BDE84C63312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322728Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.163{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1DF97A9F9BD0C436F6433EB59DDD2D,SHA256=14E8F143FB55FE2E2B53E3AEA8595ED80590F0300813F2985ED8AB1B51AE28AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.341{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FDAC629F6322DF57EF5BC56BF3660D,SHA256=0524777DE2B1C26A546A2F1BA1A8DE125A282F2310A221D760C09CCC413952BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20853A8A08CAC51A6D9FB86A880FF399,SHA256=AEDD8F41A35D4D82421B89CACC1277CE0215B89A981A17BBB185B10BF7BD6318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=008FA337F9BCA10B61E8BF8FABC392CF,SHA256=AE9E53BB18A6DE747618BBE1C20C41709DBA26727FC071F8D2195AE2CC5B335F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.263{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7334A6AFBF3D8B7154DFC3854EC1CA5,SHA256=5CD5B8619C0E1736E941AB4FA43D0D369120B3DBDA326662B1E8787D5183B26D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000368902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplication\0000ecb9837aa96085e95a514805c6e0a2b900000904\PublisherAmazon Web Services 13241300x8000000000000000368901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\BinProductVersion8.2.9.8 13241300x8000000000000000368900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LinkDate07/08/2020 18:42:42 13241300x8000000000000000368899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\Publisheramazon inc. 13241300x8000000000000000368898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PathSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\xenvif.sys 13241300x8000000000000000368897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\BinProductVersion8.4.0.11 13241300x8000000000000000368896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LinkDate01/12/2021 17:17:37 13241300x8000000000000000368895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PubSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\Publisheramazon inc. 13241300x8000000000000000368894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-PathSetValue2021-11-25 09:59:28.872{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xenvbd.sys 13241300x8000000000000000368893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-VerSetValue2021-11-25 09:59:28.856{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\BinProductVersion8.2.5.32 13241300x8000000000000000368892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDB-CompileTimeClaimSetValue2021-11-25 09:59:28.856{27B459FE-5E5B-619F-2901-000000000F02}5388C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{596e1403-cbd0-7212-d9de-62e0c7e6a0b5}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LinkDate11/19/2018 22:01:56 354300x8000000000000000368911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:27.551{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20145-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:30.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F15935D69D603A55F69FA49596977A,SHA256=3BD76148574527D5FB61A37EEB9BAAFC0F8B9318BEA8B2732F749FA9E4B47158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322732Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:27.665{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49929-false10.0.1.12-8000- 23542300x8000000000000000322731Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:30.178{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682AC454E1537D7C383DAF5B12A18824,SHA256=C88B9000C887737B3E98C4FF11CFE84D47B69C094215CE9D58EBBF30475949E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:30.497{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33BB72833818508BC9622E1CAA1ED557,SHA256=9FDF15D0B6D0E47D7E7EE7E108459EB4FB39AF8919B8BBE053F5BDC8F3774B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322730Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:30.163{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:31.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BAD60EE1B67E00E56F88292594130D,SHA256=76564F9EFAE3C5E9A69CD500269BC74606A591963F16CF9B6E7FF086C046B5B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322735Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.741{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-0C00-000000001002}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322734Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.741{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-0F00-000000001002}920C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322733Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:31.225{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8475239B6CAA446AC649EBF8E355DF2,SHA256=48223B627B5C862D55503E7F6E0F51C2BCD0A40AB01B104995FDD58E81427E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.778{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB51D6198A19A39ABA37847EAED073F,SHA256=F18C9968FA698E29D6A088C9EC9606293C498BBDAEBDD6E48FBF2E4CAE4F1242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:29.823{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-27602-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7DA47D2E0DC53DAEEAF134F4D8945C,SHA256=66F07A1BA1EDB747205B4400F622D87DB2BF0C7834D23989A1EE405FBFFBDE76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322737Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:29.696{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49930-false10.0.1.12-8089- 23542300x8000000000000000322736Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:32.241{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B690C9CDFF42C352002C3EFD12DF0E,SHA256=84851CBC15334004488C6014110177BAA41A90F1FD5804FB88C6C290F79BCBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:33.656{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E963A4ADC880667655EE588F046B368,SHA256=340CA3FE39680A99DE09D0B7FF92174DF5B5ADDFACF5A299572413215F5D3CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322738Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:33.256{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFB33C68642802FDEF8C28607A213F0,SHA256=D70355E57870C17CB618D4B1E62CB7A2F7784510C42B42C70D786CF08113BB5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:32.161{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35163-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF802633B4A9E8C725F0D00D2A18900,SHA256=FF70B92CC0955256EC93BCD59BDCF4F22C6F937F242AF83560A193EE886EBD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322739Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:34.288{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8700C5A527A92C587C0C4DA60A476D,SHA256=AA40FA89FB10D5FB6E994AAFBE7CF6ECD7A7541DB806D966D9D514B147581877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.372{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=37501820DF7F1497AC6713FD1DF49098,SHA256=80312B321886C1B239575BFFBD41CCEBAAB1578330DEC87769AC6838422486EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:33.084{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:35.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D9A9CC6E3ED5A69BA2010F1EB80218,SHA256=2012EA84B9F4A4291BED8D505362DC019C26CF002EED4BE0C3F4BCC698F222FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322740Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:35.303{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71541D406386EB4ABF5C3820C3F6765F,SHA256=13CDA3E014D1A468BCDD5BAA24FF4A0CDF11FB9437BA06CAA7223222F75ED1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:35.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7674557C1536FA4CE58065962FE181A9,SHA256=05BBAE8964AB163C073731171173696CE15D54E2C15FBC17A738625B180B2CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:34.468{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-43626-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:36.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E919B31C7A1001D179743431D7FB40CE,SHA256=B5FF2A45C11BE9F2C5F03B414B2B77BC449891E3ABAD546FF4BD367437FBECB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322742Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:33.649{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49931-false10.0.1.12-8000- 23542300x8000000000000000322741Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:36.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC28B998FC0F87796B413234D8417F,SHA256=07DC81CE11AC4D7CEE52003E6C31CC41561A6EB07F42ED4A25AC1DEDA9C792B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.716{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC78F8FEB31AA651529D4190CFC80487,SHA256=920C16D998967367229ECC73274CC2D93BE5CC90BEF4B5823BF9FE4D6258C27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.677{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9285154A4FBEFCBE350BD6BB548E744,SHA256=DFE4B6318CFBA655B642A1436FF5825E8A749830434948AF7B78C1C23491C74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322743Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:37.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79164F28C2B322DDD6347EDD99288658,SHA256=724976137EDA3CBF3BEB218500390AF22F4EDDD6A8C3D4713CDDE1EDB578B22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:38.685{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E8D06DCB5B9ED756728639E3B47CC,SHA256=3F87A7D983F38D21466F1904D872D3F0DEE935FD914F3EBC6565570C213AEA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322744Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:38.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6893CA2DB988C8F3D9D419ADA323A4AE,SHA256=C5C0BA5E848292CE02205F352EC2FF5155FA316941802275F3565ED67A8BFA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.874{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A972AC2510EB9E41247FCD73D9321C7A,SHA256=75ED45B36A50EDA2FF48DA7AA5D9DAD99AF2BD4161F616E0D521688A27BFD582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000368935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.764{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000368928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825DB2A5047770AFC50BDF35C59AF09D,SHA256=E2AD3D2A72F6BFC5E14663C289A7F15CF9B44DEA67F0087AF7EA0C3DDBB8067A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322746Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:39.477{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x29240dfb) 23542300x8000000000000000322745Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:39.367{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDC1FDBC26200FD43DF86A8E9EA20DE,SHA256=46967631AAF39F5311907AC8979CA72D9BABED181815BBEAAB9DB74E4063FAF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:38.303{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000368938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:37.051{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-52652-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:40.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3101E1F0EEF92C93E8CDEF62C2DE09E,SHA256=C33B5D54BF8530FB3D9F218516530B181062A396DD8603D0BBCD764F1BB5C70C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322758Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000322757Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f892c) 13241300x8000000000000000322756Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1da-0xc7e49241) 13241300x8000000000000000322755Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0x29a8fa41) 13241300x8000000000000000322754Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1eb-0x8b6d6241) 13241300x8000000000000000322753Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000322752Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f892c) 13241300x8000000000000000322751Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1da-0xc7e49241) 13241300x8000000000000000322750Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0x29a8fa41) 13241300x8000000000000000322749Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 09:59:40.883{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1eb-0x8b6d6241) 354300x8000000000000000322748Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:38.681{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49932-false10.0.1.12-8000- 23542300x8000000000000000322747Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:40.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C26C728E6584B013FE0CE2190EDCBA,SHA256=14DDF17E3D8F14FB61C3D844190989BC3D1EEF9642586F8E140204EAF4B5EABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:39.154{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-1277-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:41.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DDAE1ADFC2ABF98D43C9E8076E3513,SHA256=CBC230C58AFB80EA49EF7989B657EFEE40897F0B7CB713787AE795B74BE2D929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322760Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:39.009{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-61.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x8000000000000000322759Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:41.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2245EABAFA6FD43D12CA40D4B3CBE016,SHA256=74C7DF0754C4829AE7D6785566D153F11FBBF4CC9913D95220BEF596D488F9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.686{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167FEA172E30573DD8DEFA5FB1B4BBA2,SHA256=A45B0F4003A6BEE9DFF3EAC47CA5DA27185FF8FF01EFD2A899C171445CFF074F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322761Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:42.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50032ADDB1143B44A2B081DD5DC6F9FA,SHA256=5F981CFFCBE156E08ED8EAFAB074FB231495624505532A185051C73FEFD028F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.436{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2970C5E2288821242297E98D3B9B006A,SHA256=CCE247C87118385183C1B713A0941BDE1AA2964225DEAED7A9037723D241EFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:43.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4ED64C02A2A5BAB3ADB9CAD163D992,SHA256=E23AA608B7E4C182B0CBE34DFB5E3238A0D9AEE0405A07097F7DA2F36F16DAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322775Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322774Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322773Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322772Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322771Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322770Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322769Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322768Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322767Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322766Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322765Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322764Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.867{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322763Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.868{99D2EDAA-5E8F-619F-0501-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322762Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.399{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2919B5016E3F1EDE1E647EC94308D0,SHA256=1461EEB007AEEAF3E9E0520E091F449DAA862C2FD23D83964A5BF6B721E3697F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:42.167{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-10129-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2410C7A07E5670D983D3437D880CEE60,SHA256=EEDEA6A20A16775F5A8168BEC48A28417AD8CA038635669F5AFFE4DBF5ACBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322776Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:44.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CAF63BDF332EFDD0DEE4D73894E7A9,SHA256=98D43C5D00F726AB4F529D9BDF0EF05166F73C4CD7567DA596BBDB114D03B6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:45.718{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C26721EC2E314138E6A6BB0B160558F,SHA256=1039BA84BB92362C50F5428479DECDC21A5C4415C7FAFF4D3E2BE86C80C62771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322793Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.477{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C89545C214DC821EF99582218EEF8E4,SHA256=0EFA0A8157AB17AE4EDF5AE9CCAE2A5C247A46707080A712C9462876C3895F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:45.343{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8194C7E70C2F58F4D2589A7BCF91C567,SHA256=DA6EF15962860C92C86F87E29D98FD8223382588075B537D15556288B553ADA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322792Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.305{99D2EDAA-5E91-619F-0601-000000001002}33282572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322791Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322790Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322789Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322788Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322787Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322786Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322785Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322784Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322783Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322782Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322781Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322780Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322779Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.149{99D2EDAA-5E91-619F-0601-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322778Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86BAABEDC107E17288D4FBCE19B6A328,SHA256=4D30C3FC37B3E2DF3EB98FD120D1E461F7D51997E63E73EFCEC792C6A66F2AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322777Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:45.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6137B7189057A3B97ECB074DF5BA24A0,SHA256=572E69844FB84E39560AF1B440CFC029BADF46D378DD2CC6E03B55F7C3F1B777,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.181{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:46.811{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33135FDF420BBBEA3739FA7884068952,SHA256=B62E4AF28AE0D49D469744575D6D558D980C1774DCF583077BA35E7A3D42D2CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322809Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:43.760{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49933-false10.0.1.12-8000- 23542300x8000000000000000322808Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4849F5CF17BAF41092D192EABF4ACE9F,SHA256=5CDBEE69B41C8145866E34F092C7A63B962D8DFFED652B1C285D0EA61EA81A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322807Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.180{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86BAABEDC107E17288D4FBCE19B6A328,SHA256=4D30C3FC37B3E2DF3EB98FD120D1E461F7D51997E63E73EFCEC792C6A66F2AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322806Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322805Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322804Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322803Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322802Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322801Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322800Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322799Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322798Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322797Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322796Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322795Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322794Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:46.071{99D2EDAA-5E92-619F-0701-000000001002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000368953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:44.646{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-17920-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F1D2CCE66604F287C35FB9BB07EDED,SHA256=F9EF224FE51A23C73065109C7C335D73CFFC8F0031B3F7B2375BCF98BC1F0ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322824Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.868{99D2EDAA-5E93-619F-0801-000000001002}6843132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322823Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322822Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322821Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322820Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322819Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322818Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322817Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322816Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322815Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322814Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322813Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322812Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322811Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.571{99D2EDAA-5E93-619F-0801-000000001002}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322810Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:47.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2E07E439274CC7AA53EE38A0742431,SHA256=9AF67D90070EA4E16C3D572D33A5C26C7940D6625331EB426DAE26660118AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7352668E4344D76EF0E8279C5F12E25,SHA256=14562C6CB39143A633267FA2F22774A2442A1E5AFD90B36A4B960D6D2991B418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:48.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A13A56642A3730866D3878183E087F,SHA256=331A70B4B0950950812EAD065184A8368E49ED5782FCB93D5488C5F72B160AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322840Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.821{99D2EDAA-5E94-619F-0901-000000001002}37883364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322839Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322838Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322837Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322836Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322835Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322834Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322833Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322832Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322831Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322830Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322829Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322828Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.633{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322827Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.634{99D2EDAA-5E94-619F-0901-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322826Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.617{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42BD67943C09F27A8130CED579889EE3,SHA256=1734AEB882D94C667CF3B6E43518F616274966E1F1F9B31E3B55A889C4431BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322825Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:48.492{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4D97C4DCDB41B198340BFC372EEA1,SHA256=00FA9AE41AAD07A1E25C0A3E30B55FBAA8C300F7DAAB1795ABD78B645CABB2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322856Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.977{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=852BC720FA3BE5EB864627307A0DAC8B,SHA256=638061B88FC25E119EC989D347385F47AEE61143759AF4F9360893F20C983F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322855Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.977{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B28910A3C0F63C010D3BBC7A9CB8CE,SHA256=AAC7D224A36A59731786DDB2AE4030A7E17E1E0F73F90612C1C88B1E351D62B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322854Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.602{99D2EDAA-5E95-619F-0A01-000000001002}28842628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000368955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:49.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0012E6A18E234D4A1E424776E4BE47D,SHA256=CCD63F6D298A12C932442A2A527CA75C163B6F29F43C0B9A337CFB073467FC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322853Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322852Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322851Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322850Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322849Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322848Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322847Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322846Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322845Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322844Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322843Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322842Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322841Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.399{99D2EDAA-5E95-619F-0A01-000000001002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000368961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.968{27B459FE-5AC5-619F-1600-000000000F02}1288NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFfaa9e.TMPMD5=49B0042F3BC51E28EFEB859CA90E8111,SHA256=0FC01FE6DE4BE50A4543D18A46A15CB18800BB9E25174A9A66570CFD6420E9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.905{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABFCB48034094F69EF0F000AB71BF6B,SHA256=9D5B086B4EB4D89DB65DB4B036CB6225DB8AFA0B027C71A56CA88C9549820BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322870Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322869Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322868Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322867Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322866Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322865Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322864Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322863Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322862Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322861Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322860Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322859Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322858Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.946{99D2EDAA-5E96-619F-0B01-000000001002}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322857Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:50.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37852C74162B926F1F055902BD616130,SHA256=B4CE663E513B4505BC8B0750AD17F26406E7ACB15FEAFA3559D00F0571B30CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5870335E3DBB8BBCCD415BA36BE92C3,SHA256=FF37D3283D9674D8AC8D53E512A2240CA0225DDC7691157062A1A5CA19F69D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20853A8A08CAC51A6D9FB86A880FF399,SHA256=AEDD8F41A35D4D82421B89CACC1277CE0215B89A981A17BBB185B10BF7BD6318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.812{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E158791F605C2DF6D3FDF6020EB72FF6,SHA256=E871AC008F114F2B470953EC8EAB40343E5D4E259FA4DD1EBF456273C6E0CED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:47.027{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-24583-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:51.906{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1975FB0243276DCA7299E6E402E66327,SHA256=7D9920B6DA26BA5C5109F17D61D2F05DD0F0492EEAF91B3E9E639A409EF3D1DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322872Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:49.635{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49934-false10.0.1.12-8000- 23542300x8000000000000000322871Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:51.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CA33866ACCD3541EFD613567078ABE,SHA256=B6AA31360987FB67B393F9613965776B42BB0C0242970DD24CC07B97CF280FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:52.921{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47DAD7652D7BBC24A8BA6858E6A51E4,SHA256=CC36401FC391573832E714815B07AA670991CADAECE9398B21E4B7D1F357C37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322874Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:52.633{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB61C526BF8975074A0D052962B54DDA,SHA256=A327FDDCA60D3AD520D56DC71EE95145DFA4C46D6CC7A815F156D4B9B24EC9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:52.405{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5870335E3DBB8BBCCD415BA36BE92C3,SHA256=FF37D3283D9674D8AC8D53E512A2240CA0225DDC7691157062A1A5CA19F69D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322873Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:52.055{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58D9B99E3310662F9AF674888F3BDDD,SHA256=C8BD27A46B5807668758FF2B894CEC229C6E0BC2559C5AC84B4F21C1FB2AA9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.921{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E6A140EB340520FE469BD883EF5728,SHA256=ED9A01A6C21EF188D602726B308902B1386658C9069F98BFB742D37CAB301203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322875Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:53.649{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CB384CF25A6B755227ECFE7A1B0379,SHA256=65520861C0A9B9ECF81BF8C1E43F4F74A51D88A9EFDDB06B215E385E11258F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B74793CC112E037C70570E7CDB354063,SHA256=79D9B4439C1492673C154E059B975305E8F6011B8D62949CE5E25E59F0F5B035,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.747{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35728-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000368965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:50.057{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:54.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A794EB4927F145743E50DB095BACC72,SHA256=A97CA65B862D7E449390D920924F99A1B8EFE4BB754BCB4A16A530A2F0CE05C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322876Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:54.664{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904AA2DEC024B8E4A4C0C25C68C79B12,SHA256=7CD2C593788FE2582FE2DD1FF8E2FE9DD7BF5563C9BE309254CE298909152E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:55.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280382BDA72691FAA2E5A63142D48381,SHA256=8D815C64277E8BB3A5DB176C9A018475DE7EABB60E6A3B80E39558E472C1F899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322878Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:55.668{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F438EA7B80B8F09D5CB3BAE5DE75B29,SHA256=1F89EF471649FEA9B4114F7F701CB54D418AB21D1D4D44A40D9D3B29E59EA5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322877Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:55.451{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-015MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:56.968{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F351BEC5C3448D189EEB8E9CD4C1E78A,SHA256=5AD0C2FBCF52EEE65AFFEA77EEBEBA9D7FFC4D0430951F6241A08FFE5EB06860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322881Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:54.716{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49935-false10.0.1.12-8000- 23542300x8000000000000000322880Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:56.682{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B5AAB9896D6C8D10589F1E0484BE08,SHA256=F436D1716E38FB0F02C22A5DC9A904B378A95EBE50AD256D30B35F4879C1CBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322879Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:56.450{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322882Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:57.716{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22E44CE03F45DEDA8C9EC28D25C3928,SHA256=09DE5FBE37191737D43813989E41482B280D31F2B360B3EBE8AA0FD0D8395278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000368975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.437{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.437{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000368973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:53.475{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-45157-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:57.046{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD3131EA63621D54E665DDA60796130,SHA256=BE9385DB273094575E6F70B4747F5E9CA5219C526672C0327B2FB33C3D38A7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322883Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:58.763{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C83FFA718B82BF2D410E5D5F5A74EE,SHA256=B9BF05B8CB2D30A11289657CF3A4BC4982F2475BDA3BF0A59CAA0EE0DCEE15FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:58.173{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFD4795807A43C24EEA5EF5893EB866,SHA256=CC3D1CC532CCA2A2E2466D221415C64C60B0B3FE44AB5606120B85A130446538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:55.226{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000322884Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:59.807{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E0FCB7967707F9AD8FAC8E3EBA022,SHA256=84E2D21258BB887E14BD6A648A88E15CEBB2469F3D95E59C35AAB423BB0DFE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.892{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCC2312721A6F667A0CC271922A04E2C,SHA256=9598C93C286BE9AF8133951F81AFB59676DF3F9DD22F6793208ADD21D5B22F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.202{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F2DDA793A3816EAF2A4E569909B35A,SHA256=54D9EFD786479709BB47F8704BD72F14B9B12E6115A01FEFC1EDEE47BA53B5A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:56.408{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-55258-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322885Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:00.870{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FA16B9010971CED4B1516A2C1067CD,SHA256=D624CF349518C4694885B7DBCBE9B8EE2F6DF832706843466FB53C035F45E6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:00.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2A2393DA52C779D52B8EDB906DDEDB,SHA256=B021EBC1917A397E7A12FBB09268D5CCCC080F423F9A02A4D5BC574B4CDD00A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322886Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:01.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947649622F55066F8E847230EB75DAC0,SHA256=DAE317BA9D1BDC3ACC2A4DAF31C18E690567DCE2A70182630B5C15AA75773B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93138BFBBD93FE73186FAE4A39A3162C,SHA256=71F04F0BCD4D4057E8355FD59318643FB70DE758C3466E682D0A3AB8FD624E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322887Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:02.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E2CF063AE51403507008248CBBD728,SHA256=1DBB7C314B5499848B6E92615202EADE98C123DBE7BF04786CAE307675120E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.220{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0D08AB2535955E1015FE3F2B3FE781,SHA256=14B1FAEF4DFBD113A4BF74C838CF8A7AAFD45D80BC1B13FFE3AEDFF5298C5509,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 09:59:59.244{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-5575-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000368983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.017{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=926D174E9B47FBAC4B1064B6F2F0D483,SHA256=668F38495496A446A20092AD779F83336A169188E48C5834620F0BC5A2FCAE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322889Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:03.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D85C55DFE8A0B92AACA620911C1ED52,SHA256=A52296727B8F349DF3CDA94A074B4AC85240B800C22ED751CED8FD9799A57B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000368986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:03.253{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0EFECBA3F25AD6DDDACBD6D0042363,SHA256=E7848F802E5869E693F4753C54E39A33A642D9452513888794D8712097EF8C4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322888Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 09:59:59.793{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49936-false10.0.1.12-8000- 10341000x8000000000000000368998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000368993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000368992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.657{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000368991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.471{27B459FE-5EA4-619F-3C01-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000368990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C6428EEDBB90B6141AE79FE7200FA5,SHA256=AE24DB82B73D91955B065A5663FCBE3A951847D103E67041E637BC15CFBFE81C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000368989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.474{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-13297-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000368988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:01.181{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000368987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:04.267{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2857A54814A41C6723C6FA9099FA87A,SHA256=370D40F20F191A57CE534F6AC22C66A058DE6CBB09D4849DC86E53F32C3D082B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322890Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:04.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD29D34C5A44DE398EA60EB1AFB3E3E,SHA256=BB4F159436A3F5BF5E613167F587B3235A7A2D8BF8F3B4BF2128020E7E917E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322891Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:05.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6988C44C052003502EB254CB1C5BE37,SHA256=B0C4B38B1AAD7E71F836E40814B494E1B2754AD197B156BAAB423272961FB810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.939{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.552{27B459FE-5EA5-619F-3D01-000000000F02}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.501{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9895B882A55110F65E237833C5B0E80B,SHA256=D7BBB3C244316A6D521689C4B820862E035535E247C3FE9A93B39C39CA19B961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:05.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085CB614E73EFE92AF6E7F325746E8AB,SHA256=AE5E4B9AE3FB74068F6EBBC3CE72360A83B8E1B47D164E17203323CB249B6D1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.556{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58827-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000368999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:02.556{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58827-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000322892Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:06.932{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEDEC7387B8CE573537A5824D1AE4A1,SHA256=79671F075DF6635B7738EA0E637D22D86A015741A8362E854D8A76D80A7A3E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.579{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBC57CD72DCC57F3D399539EB9D145F,SHA256=C73B64031C2551D1E46FD8B85632DE94C0368AB66313AD21B0F858817FC84348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.548{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637E1BB74BE684FAE8341755F8077FE7,SHA256=82EE31FE7B1BCDA1FAA47068464FE19BF0239857AB31DA0FA35834385B982138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.173{27B459FE-5EA5-619F-3D01-000000000F02}53004036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322893Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:07.948{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09A1E98767EA542FE3C899F1CE16DDA,SHA256=68761A8DEB43883C5EA281CEB501E3AF3AC83090AF5D2AF31B0D61A767594354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.642{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F58B70B88A271394E503212E6B63AB5,SHA256=C8655144D1528351CA5FE851FC6DBCA63CEDC6D69DAC827DE7DCEB073D6019E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.642{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6A586F7CC239B83964DAECC25C0B9B1,SHA256=0AFF67995F82C02CCD9C138368350489A423D59E759CA854F7E5972ED9AB29F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:03.762{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-21374-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.036{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.036{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:07.018{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.565{27B459FE-5EA6-619F-3E01-000000000F02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.986{27B459FE-5EA8-619F-3F01-000000000F02}13124900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.736{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.720{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.549{27B459FE-5EA8-619F-3F01-000000000F02}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:08.673{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E80E49FC38B83BACDED9072D64D3C,SHA256=DA7D7BBECD732FA94EC233D727F968E0FF29AF2AF3147A5A0F3DB95033B6C58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322895Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:08.963{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF900357F8A05ED2CCED9FC03C9F527,SHA256=F907D8BB44863A052A37DF5BB48F3AA00A4E396A1CD6A3630D800810AA54C11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322894Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:05.809{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49937-false10.0.1.12-8000- 23542300x8000000000000000322896Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:09.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DB667DCD3E12A72ECE88915CE3EB09,SHA256=7A258832922328101C87F683C203AE1478D0CA661C16F5C2CB4405F97B978AEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.861{27B459FE-5EA9-619F-4001-000000000F02}52885324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.689{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CA70D68FE3F3201889619C9BDB96E7,SHA256=3BB14BD34C885B8C4741AA7F2EDF41CAD2AC9E160A454795A73895D23A6B4841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.564{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1BD547E179E2BF47314A0A8EACFA082,SHA256=4FC2EB7625ADD16641184AD055B6A1DF1896DDFA0FDD1CE6601D4352D2543B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.439{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.440{27B459FE-5EA9-619F-4001-000000000F02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.292{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:06.132{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-29311-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322897Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:10.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8B579F3A90620AB3DA3D9093DE0D62,SHA256=DA81E181C86F2F4163DD030571232960F8F723A2CA057442E9F5B3BFC6EA3B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.704{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054B20098A02886D6C1D416C3BF0062A,SHA256=2BF1D3E8E7D3F65191C77460E77CC7B8356BE1A458B44831F1AE553BD4FAFC67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.642{27B459FE-5EAA-619F-4101-000000000F02}43444424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.329{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:10.331{27B459FE-5EAA-619F-4101-000000000F02}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322898Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:11.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA9576AC5377867E53CEB632E297ADF,SHA256=4A36761E5FDD082099FD57D2393F4619049A5D01BA9C406773E43E17DC5EBA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:11.736{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAE14D389021799BC9493F15FCE5A6C,SHA256=218E068525B5C4EF9FC57841864C54812EFC99B2447C526F0321E12639111646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:11.345{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04AAB04CADB6C6A551B481E2EEF4E2A,SHA256=84BA08A3DA6A6ED2129E470FCF68036D523731535E5E1B334FBE520CCAC19B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.783{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5C06538B0242F197EF7EACF0E04DB5,SHA256=F17E432824C43075CA206C8801779AD67E0072BE84A46ACA44F2BA330DEFB35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.736{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4ADA415CE64B6F87DB5042E57E3E41,SHA256=14CEF4C42D71A677B6DF9E0788D852D202B540C54C6B7397DEEEC716A603F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322899Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:12.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2CAB3C5170AF8AF03D02ECF1EEC57B,SHA256=D2BC2FFC42D6CA2E0C9BA53468F1A1E189E538A34132292548BA8FAEF98A64AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:09.171{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-39932-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.096{27B459FE-5EAC-619F-4201-000000000F02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:13.751{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7883932A533D67635571CE73ADB7CA16,SHA256=B1688BD019101D4B29FBFF941DB1B4CDB86DE2D15F103425CDCE3A060946B2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322900Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:13.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DFA42009EC46F7E80E80797B6257F8,SHA256=3B61418A0A1BA578AAE7235C4DA1D6326D3351A4000C44A7A990ED79B76B1131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.876{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2924B8A080075AC2A2EAC5F6DFE0AF51,SHA256=B29DC8A6A01861AB0764611CB33D66191FBE9594969E467553C7B5259C8816EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322902Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:14.995{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B5384F915FD87FD82243FCFC7891D6,SHA256=E987CAF7DBF18FC7EBE35F168C20068FD5BBFF46C0DA0678F22C18931B2A6769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.580{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.129{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-50516-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:12.119{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58829-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000322901Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:11.684{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49938-false10.0.1.12-8000- 23542300x8000000000000000369078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.885{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A8C7735005794EFC9ADF16DF53A028,SHA256=75888480D8D6E56021D1C51541D6D941180DA2534B0BB84B581F445EF0F02619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.590{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-015MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:15.226{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5149B60EA15F6A124AD6B3A0E5300847,SHA256=75E8AB68CCD7F0A1DB012D1B1368F3BED2F65D703826724B5F36E7D254DC98D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.946{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8DE0C65D51B6C78CA33C498A697EB7,SHA256=898E7263EE2226738B22276EC35BCFE5C362C41FF2A9D850FE0E262EE9FD9513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322903Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:16.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A737A0C6934FF05D8BDF477823B5D4,SHA256=30AE54A6BE74B5A0828FF3E5CBF2AB093668E4BC0E0901077EEB063DD37DD5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.573{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:13.603{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000369084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7952769F64A26FCB5FB214CF29D46A3C,SHA256=8E1C33B80CAB274DB768F13A189667FD9850C9520D9CD15969AAC3F893B957D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.560{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B40D4A40738CE646CCE2CC6380F11D8,SHA256=9545D1ED1F0C928204508C98B0732953EB215F18101104340D70869F9FEAFB0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:14.506{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-58552-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322904Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:17.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B39046AFBB1F52CE2CA9742082C8FD,SHA256=D9E14C56A1B068F8FE6C529AB10BECA618C477543C5A0F7CEB8AE5B0CAC2A465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:18.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7782071E1A2BEF4ADACD1962667AE310,SHA256=AC1482D0257C244DBE6B58AF6894F2743D5ACB0ED1467E5C278F450EC006A658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322905Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:18.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B858D2CE4A18FF78E43ADA0694A63F,SHA256=CBC59AA3100755515A8EBA539DD1163F191799274A0B0064BFE0EB8D1C432926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:19.966{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508DC6620C6AFCF576EA6A65E99983C1,SHA256=CBE316F721AC88273DF1CF19901A9AB4773D00AA8D1E011CCF90E93B94A25F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322908Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:17.591{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49939-false10.0.1.12-8000- 13241300x8000000000000000322907Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:00:19.506{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x41000776) 23542300x8000000000000000322906Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:19.010{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A6C9FD6DF8E873734053EB828CA55A,SHA256=09A0D2C13EC64B44D60AEB3B21833A111A748D0DCA8135FCAD816AA3C2191BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:20.984{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA063F94991778BCA673FE199AD31E8,SHA256=08381F12D630FD813771E948D438E2CC9F3CA404EECEFB3FDBBB1C5647CAE5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322909Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:20.022{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E19045F5B4A9F25B39BD2059C3AD657,SHA256=A99AB3BF0BF1ACB0E39CAFFD735A601AC50EC4D4F9F447065FF683DD4AE907C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.165{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58831-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:17.077{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-8457-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.839{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-266.attackrange.local138netbios-dgm 354300x8000000000000000369087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:16.839{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-266.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000322910Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:21.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0F93A25CEC5A59B69B5A563837969D,SHA256=063345F2E8ECB862304D9C33788961B5E11DEB40D3E3D8CEAB184B214C4465E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:21.326{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E307067EDE6FA6654C67C817F475C87,SHA256=1A82C3D994950B80C38FE50804E408B2B7087FE2F1A905DE6E082AAA3A2AC3F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000369092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:00:21.247{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x4209cec8) 23542300x8000000000000000322911Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:22.053{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4AE5D39C881F7C38771D7671DC3294,SHA256=21F4374F367ECBCB16CF08768F3D997913C9A3FBD347955DF7CE44CD1EC1DDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:21.998{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E2FA96AF6BB71A80374AC272368CE6,SHA256=089A9F22437BCC4C235703D1C3F97498EFFBC6B25AEF8AF6AF277F367FE0F3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322912Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:23.068{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4774A25B6EEFD8254FADC2C16302ACE1,SHA256=01ADC8E72FEB7781936FD4E03BFF3F6E8ED52DD639591120E1C29BCE474CF972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.982{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxnmsg.dllMD5=6D4200720B659B72D790526B09FEDFF4,SHA256=66C3CD0325D717523BFD14EAB1CFBE13F614BA753AB125FD734747ACB27EE9CF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.sysMD5=060959F9BE8EAEACB47255658A7018CB,SHA256=6EC9C4CEC786FF06EA2D6F547798FAE4E255662219FD5536D5FAC7B6108B729F,IMPHASH=5A9046C211055D28BF0892E100F10D44truetrue 23542300x8000000000000000369145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.PNFMD5=76ECEA82F53EF95A76B2207ABDD1FC97,SHA256=C2730843E1517FDEECD302D93FC7D629A42C4FE9060F6FCA37A7085759907571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.dinMD5=E3142F1ED12D1F1D6574C564FEF14A7F,SHA256=A220E8A7BF2233813DE1EAFD17A075C3B4E071B52E48D9EE17FFA199527A1F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.catMD5=760F99775B12D3C68FAC49268C261656,SHA256=FDB58B626E4F572F8257D70CA888CC8F2E35B770329FAAADF9BB56C6456C4AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.966{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicInVXN.dllMD5=C8AFAA519298C27D145550F2D57B4F94,SHA256=A92B47A8D57DFBAC758E713EB6A62A5969E4EF00DE3463C1179A8133D0A7D620,IMPHASH=913216F349C3C30723EACBE7EFAC0752truetrue 23542300x8000000000000000369140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.951{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicCo4.dllMD5=0BD0040999429E77C02912F052B4A8DC,SHA256=C0109B670B60721665D62C9677B6A816009E7421C341B31DE7B2B76E357694B6,IMPHASH=5A14127160FF1090472EFBA582E1C28Btruetrue 23542300x8000000000000000369139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.919{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem14.PNFMD5=0156163A3E5B27D5B84D08294B841F19,SHA256=09AF0C75866CB65DD6BD0295651724B1EDB3E8D5947A2C71A451890B3857BF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.904{27B459FE-5EB7-619F-4501-000000000F02}1964NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem14.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.904{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5EB7-619F-4501-000000000F02}19645924C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.888{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.896{27B459FE-5EB7-619F-4501-000000000F02}1964C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.inf" "0" "484ad2367" "0000000000000BB8" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000369128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.PNFMD5=B15D63802FF9708FFE41993E7158DAEA,SHA256=3FF15732BD811BDFAD0A25C2BF4B2ACA3650A835BF97E95A034336498B702E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECISystem.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.873{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECI.catMD5=21B9B34047D9F75857F25B19F48B21ED,SHA256=E1BFDF4EDC1AEA9B94D3CC1F531A4BFAD96743900ABE8FDBDD5FEC95C863C08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.810{27B459FE-5EB7-619F-4401-000000000F02}5884NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem10.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5EB7-619F-4401-000000000F02}58845668C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.794{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.797{27B459FE-5EB7-619F-4401-000000000F02}5884C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.inf" "0" "4deebfe63" "0000000000000B1C" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000369115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.779{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxnmsg.dllMD5=C4FD6144854107881753962266C11543,SHA256=AB9445DA45C287F09C5BE90EEAB1C2ED7B97982A34949C45DA407F390FACBDB3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.779{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.sysMD5=AF4E936C49B994EF0A141789C2290A16,SHA256=00D327607BF7D7695AE9A6EB94CB34BC1D8828E834F72D61D2748EFF2B3C5BAA,IMPHASH=E2B74CDB105BD582CF5327E3935D9693truetrue 23542300x8000000000000000369113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.PNFMD5=94A7A207CDB8652E8A64430AA29827D4,SHA256=7200638615D6DD13BA60ABD2583A912D419E352352971324022C07D822C438B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.dinMD5=63E4A99BED8B4322CE1A9692E675A125,SHA256=33D07248FDAB322DAC2B1AD7B01269C57BB6A4148191B9D6CABF5BF6C41742A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.catMD5=6630B6384092EA07EA6444D817194465,SHA256=C9D99D973DBFB23C0EF1B517C27EDA94477D7E5E94A616C20266D344E892E6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicInVXN.dllMD5=8697E77D522CCA7412460E377FBD7438,SHA256=B98871E10F6FA38FB6D8D4270085BF06396300B228D5885419453FA0C6395678,IMPHASH=ADC7B716DB197BAC9AE69CFC2A7017D8truetrue 23542300x8000000000000000369108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.763{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicCo36.dllMD5=4AA441F4AD7491BDB2162F87A1DA6A3A,SHA256=56954C185A7D8CCD391C08FA998B59B13765688CD53BBCFC56E4FE2079B5E4BB,IMPHASH=DD763F8C38ECDB2B8D750E0941DC51EFtruetrue 23542300x8000000000000000369107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.701{27B459FE-5EB7-619F-4301-000000000F02}5804NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem3.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.701{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-11-25 10:00:23.701 10341000x8000000000000000369105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5EB7-619F-4301-000000000F02}58042700C:\Windows\system32\DrvInst.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.685{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.669{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+29cc|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.679{27B459FE-5EB7-619F-4301-000000000F02}5804C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.inf" "0" "48643ea57" "0000000000000BB4" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 354300x8000000000000000369097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:20.551{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20315-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.482{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E11FD8911627519E0BB09AEA6084E5,SHA256=A60A8F802D087D06DBD17EA2C423B876A6A1AFA5484E791A8C378F010C01D0AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.013{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D734865D710A3E6235E8DEA90065D08,SHA256=2182179FC2086E812464D0E5488CFC311AAF90C39808C9D29A869794983ACF0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322914Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:22.790{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49940-false10.0.1.12-8000- 23542300x8000000000000000322913Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:24.100{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1489E6AAC6759855815F0A85E3863C35,SHA256=D9B0530247D31451BC32F61292B6ADEFFCC49421A3A3CD12CA220BE24F78066E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C3EB7656A59093CD9A4F1DB2FDF8590,SHA256=2D4BD16108169ADC4FF0C6648744897E5904875EC8D4F227E8BC5F2393AE04F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B9A54C9055F808A2379E7C79ACD33287,SHA256=B138268C35AD1242C9C69A25F084D8AC4A338A0D2CA1A85FBDE5AB3534E6AA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.779{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAEA411A38437CB419DEDF415521376,SHA256=28C3B0D11AF60381DF9D301D150DE86E4487E9B3C5D417975124D7A43CB6DCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:24.154{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133B1FB6C6D6D6C79537CBE3CBFC0969,SHA256=5EDCE3795928CF21D60E0D150829CFEAD2E8442D66F2077FA90CF808A0702945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:25.169{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07E52DA0CED7D54A4020D999C078520,SHA256=005ADAF5C166B8A2B28D02C6E368987BD9DA6545D899B7770B3F313B49074ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322915Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:25.131{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93998F2A1CF95E131B75A2EA5F46FEF2,SHA256=30E6534C779D7650FAE2C572892037F89158883827BAE6ABD47040C384DAFFE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.119{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-28279-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:23.101{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:26.201{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6833F060C31F01AB4AA184474EC20D76,SHA256=8C6EA38C3D198D9115DFA7C626E5A7F43EAD1BE64B7F093DBE155B517A3FBFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322916Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:26.147{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79017BA536CAD7048D176F0FFE5EEE4E,SHA256=A8A4FE2E9BB0CFD22648A7DD03ED086F6B4F7D8A47C75E0B7F9D303DBFE30E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:26.044{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A103C4A4D7F91875229BCF2B8BD61DCF,SHA256=31463FE12C475BAB9F84FAF5D88548AEB092068AF360B5691F8CD621B943E779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:27.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54796F320AF3171AEEBDF43E883962D,SHA256=D2679DC18E8CC228B65E3C031DB240B853224A9A56A57E8D4B91BD17CFFC528B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322917Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:27.178{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBB0717AAADA88E9358A25EF3E9DEBA,SHA256=9313CB26B3A1ED771BC899E3F47AE876814179C1DABBDDA2E4DAE749B72277FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322918Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:28.194{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A0BBE2D9C8E40547588E0839AB9FB,SHA256=8632F531D23E78799A1798E041B259D6E67C42A3C98694077ABEA763FB0A08F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:25.479{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35909-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA8E811CBC7FD63DEFDE3B4EE9D8913,SHA256=430DB32A46DBEBB28F620347FD72CD57D10793AF69845032D8D5FED0DB43CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369306Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.451{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\WimProvider.dllMD5=1B0C7DFB2240BA004B37904073624DB3,SHA256=F2C7DB522DDE968EDF49B03BC10978AAC4C42C745CA4A474627E8CEBBCEBB00A,IMPHASH=20D31D66F56B810094B1AA564C92009Dtruetrue 23542300x8000000000000000369305Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.435{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\VhdProvider.dllMD5=F37C8F5BF852151D9BF085687A8DEC6D,SHA256=6CDFC95C2F2ED3695D5EE8CF4367A6C7FB5707DA3C234CEE8FA8C1BBDE426DE7,IMPHASH=3CA997A1A0BD38B850B18DAED5E948DEtruetrue 23542300x8000000000000000369304Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.435{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\UnattendProvider.dllMD5=3DB4777B76FC1973A61754FAEC348981,SHA256=29A4C7379E5A0A7532C90B5ACE0DD99AB5311D03CC0BA6A4BCFB410D7D8B01AE,IMPHASH=4FA75E8720452554D61C8AC5FD64C43Ftruetrue 23542300x8000000000000000369303Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\TransmogProvider.dllMD5=5E82E2B7CFF045C7CDA8E33EAB186402,SHA256=0038B82E999C3DEF3980D39A8CAED9EA6B52A4FC9EF58BF3B3F5FC91F7748112,IMPHASH=7746C0E3C7D3763C5F13C90D4934087Btruetrue 23542300x8000000000000000369302Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E2E02612A14BEA2ED78ABB5C531326,SHA256=0907C76440B4A1E08BEDC9477C687F4A29C36EF3B69E3B1EEE2E70A09C660619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369301Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.373{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\SmiProvider.dllMD5=C5C7A9E3121B91E51ECFBA6FB2985044,SHA256=FB519B9EEF4C3344D58C768BD3AD7ADCB0677EA7B998056B6A13620CB9E61412,IMPHASH=03C38376DA7CCE75E82EECACADA0EA03truetrue 23542300x8000000000000000369300Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\ProvProvider.dllMD5=5077063311C5708318C5FA3E255011ED,SHA256=97FA95102B6ACF00C70F140EE9FA4A73A6BE7C03E0F0D99AE58DB5E492CD0ECA,IMPHASH=D8DD764BFC0F1D9E403714D169018B83truetrue 23542300x8000000000000000369299Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5AB2892746199C7A29C2B892EE5746,SHA256=AF2392A935957515F9F9496F43A4C84E1315D1F02A938652E127A2A69C2A1E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369298Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.357{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\OSProvider.dllMD5=4868187A2F176074DB7F35E356F74D4F,SHA256=84C8C4C67C808871A278254304D985533F67D44391840F43674FC829014E1B60,IMPHASH=82A4D833A82D441391A9AA3027199337truetrue 23542300x8000000000000000369297Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.341{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A733379D41E38FCFA953E44EC7DCA4,SHA256=99DE77809B20E3282DFE76DFE3D0D3A05476AF9C284667B7F2A6C1D402591167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369296Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.341{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\OfflineSetupProvider.dllMD5=86B7E8438B1125C479FD275B1BDDB9A7,SHA256=47FAF8671B25A30D7BCC47AD35926D70DB633A181FA6C276479B4408A526E63E,IMPHASH=B8B4A188EFC4F12D33591C6D319B6F12truetrue 23542300x8000000000000000369295Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\MsiProvider.dllMD5=EA19239A85416A488360FA564D312402,SHA256=F21591336CD1A24EE941827620405FA34414C1C349216B4B8083ECD1FFF17C29,IMPHASH=33E1132923056DDEFB0521726DA5B987truetrue 23542300x8000000000000000369294Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\LogProvider.dllMD5=F7DB4F104DBB56DF5A156E7329E80112,SHA256=7C67EFAF44D1413576B4575B1A4C975BCB10B64BEF13E6756E895D4DB9E61AA2,IMPHASH=FB695172E8A76C56E97CE435F8ED0220truetrue 23542300x8000000000000000369293Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\IntlProvider.dllMD5=0082903881275179642AE83EFA720310,SHA256=7CCF1625E6FBE4DB16F12AC037E4236A3EF269DEE47A157C68374C867941F9E8,IMPHASH=CFB81BC5FF922F23D605A653700FE666truetrue 23542300x8000000000000000369292Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.326{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\ImagingProvider.dllMD5=EEB4AA36BAD26A2C6216A1FF3439B58C,SHA256=44A6679425039DC870C297294C4B3323F6FA9DE5C7D16D7D0AB7E1254AFC75D3,IMPHASH=0264D9B4BFE54732ADF0E29BC73BF280truetrue 23542300x8000000000000000369291Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\IBSProvider.dllMD5=11DE34FCDB75E79A920D3B491F3E7BF0,SHA256=6B7C7AD8B1AD522B27B2CC5E4F76F56ADE4495D7D46CE4F997A68954F072AF17,IMPHASH=C755896FA14213058E34639A28868FBCtruetrue 23542300x8000000000000000369290Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\GenericProvider.dllMD5=397ED660129D40927A27B75A4B8FAE2E,SHA256=EAFCECFE911DABB4531E1331DDF2E119DCBB6B7A887D70BDE737EA76BE10EB74,IMPHASH=F55EE75573C110804DE5E50ACEEC1B06truetrue 23542300x8000000000000000369289Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\FolderProvider.dllMD5=6428B4D0C26DB23E9478F039891CD5C9,SHA256=55126BB099785C2F9CD32A30991082C47D62C8231D570A9D8A6F3CC599B25EE1,IMPHASH=B2CC5EDD42A866F7CB6CAE42DB969187truetrue 23542300x8000000000000000369288Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.310{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\FfuProvider.dllMD5=E27BC7F808E72F08372BA3C40B4B6344,SHA256=927B194432046C0D2ADF7C7B71E4BE85602C4D00A5D6EDA9F9DB9924E1C3447A,IMPHASH=8580AF5C1871319D05329DB2E96A8146truetrue 23542300x8000000000000000369287Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\WimProvider.dll.muiMD5=CC3B15540DDB521A300BAFF0BF4F902E,SHA256=33C06CC037DF1EBB72A15BCC2E09BC89DFEF7DD94441C650FD3D0C833122002A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369286Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\VhdProvider.dll.muiMD5=10536C56F02E68EBD13D0B2CE8665C6A,SHA256=06C3B71D251A8DD47D02EDBFBE84E0B6B1D67956DE4D3996031434CBAD728929,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369285Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\UnattendProvider.dll.muiMD5=B7E3676672BE6851EA13ADD879C2945E,SHA256=2D2D82EE842CD346B58DCAFAE6FEC46D491E0D15CFBE0D8964A4AB7F18C5AAB9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369284Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\TransmogProvider.dll.muiMD5=D5D596B1102DA565C2ED1FAAC170E758,SHA256=B5DBB36E947FD64AAF22C53F0A9634C7D72D4CC270C055B67E020920BF806909,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369283Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\SmiProvider.dll.muiMD5=CAD746ED5AF63E7FC49ED4A5A3984629,SHA256=016C6071B04E6D7E12AD9B8A85C002320331E01ED62922C573A1AC43BA0DD919,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369282Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\ProvProvider.dll.muiMD5=70AFEC86B6CF677BF8D3C713CA3281FB,SHA256=C8579EC95A51EB663FFC6145F0998C2F1930A6B8146C84C0A9094BCA4E5195A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369281Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\OSProvider.dll.muiMD5=A464DFEDEA8520616AA9B2ACD166A77F,SHA256=54E985CFF256CEBE82E9EF3E814A5FDA9FF730BCB50265E9BA78DE65A4DE3F42,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369280Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\OfflineSetupProvider.dll.muiMD5=CED788DBD9D13D0490B2F642B0B051F6,SHA256=D5DBC0A52B598800EE14569859383525950B865F4816E47E2E73F79AA1C32A09,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369279Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.295{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\MsiProvider.dll.muiMD5=5AE9ABD6BB469F3AD7B3A4CCD40974BF,SHA256=C2CE66F2F218890AA76F8BAB68B4C0FDCED0688E694F912F3A5BFABFA6CDB5E7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369278Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\LogProvider.dll.muiMD5=0D4519BC8EB58A006E4A5EB993C0DCCF,SHA256=DAFFE67521F9B4657FBFEF9585234CB39293F9B866C0D97D66F675037515BB51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369277Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\IntlProvider.dll.muiMD5=16ACB74928BC55FD4AAC316F3B92E1D7,SHA256=17CB486CADB679C75A27BA6C76E2FE714F4B8DA845E6F795759517D6734F0BC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369276Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\ImagingProvider.dll.muiMD5=26F5BBF8D6EE90B4F47C18E93D1087FB,SHA256=F41738FEF7140176447ECF371B1117A485E48BA6F3E9AFAA8C4F883ABFAE62DA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369275Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\IBSProvider.dll.muiMD5=0B09FE334215A8E736B2CF08A50D5204,SHA256=DCE9AD3B79F91BEBEDDFCD9E03F1557CB7C6114AC906081E9E046F807093CDF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369274Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\GenericProvider.dll.muiMD5=956B8B45B92321C0D5975EE9A6C5B773,SHA256=578541D71466CF61EF399023B34EDFCBD915142BE856534AD4D17D25E7CC9F3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369273Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\FolderProvider.dll.muiMD5=DC4E4C2800DC6D98F7893044A21D246B,SHA256=8B4CE62F4E4294E701193C7AE393EB5EB29AA45932D376CB1A03728A140096AE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369272Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.279{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\FfuProvider.dll.muiMD5=5ECAD70AC2B3A95CBB42D6FE67D2F726,SHA256=C210389DBB9B7B4A802E4B0C3C708B6F55B086564A01E19CFB183B6AF916C30A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369271Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DmiProvider.dll.muiMD5=38C2A1560C340537C3AE0CE04BDF7EAA,SHA256=52B06DFD85FB5AB1DCE2BE665CA144B1AE6658F518D1623D9B44C347C482B064,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369270Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DismProv.dll.muiMD5=BD7B77B3EE9A12FF3F5446ECDF80B5C6,SHA256=B972A0B2C4682E9074441B481BD886DE19B8DB3DBA401B88E980B154C14D5A7E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369269Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\DismCore.dll.muiMD5=C901FF639EDFBBE710D6E5882F07CD24,SHA256=9BDA61D23DC50F9AFA82DA94B06B7B9C8229D5ED666D2F5270DAE13100815C27,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369268Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\CompatProvider.dll.muiMD5=A2A344CB32B6835744A36D877C952665,SHA256=A74D765B796638A921C4810D1712A08F7A37C9BA9E91F4DFDCB9727611C3D18D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369267Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\CbsProvider.dll.muiMD5=179B34BE97A383AF3E757031E7DA964B,SHA256=ABD3824664D1336EE849D89BA178606CC1B1E23E173752D8093F34A5580FA8F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369266Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\AssocProvider.dll.muiMD5=386FE7AC95738A0CB6D25DEA662991F1,SHA256=22DC7317108A528BA92C853330598F628B93FFF27CAC34C2F501B806A75261D9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369265Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.263{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\en-US\AppxProvider.dll.muiMD5=9FF5081115C2C21D9F85AF7EE6D2CC63,SHA256=107B10A8C1426F1C0D703F06832D740A4CFDCAA596FA0EA147A32A736A7A2A4D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369264Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DmiProvider.dllMD5=FC76385FF00D4A93618D842B41716D8D,SHA256=BBD49A49CFFA8411FFA91B02541F5F3B5333FD9055BC129DDD3B36EB005C34D9,IMPHASH=062B279D8ED4374A0CD0C84620F4BE4Etruetrue 23542300x8000000000000000369263Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismProv.dllMD5=8C7D97E22045AE402EA896F514CEED81,SHA256=76D3202E11BA22D277532A14CAE60E596975C0D8C34C7BE154F453EB1F7C37EF,IMPHASH=0247CB1C8FD55E43A448E359883057DBtruetrue 23542300x8000000000000000369262Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismHost.exeMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424truetrue 23542300x8000000000000000369261Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.248{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismCorePS.dllMD5=FB88731B484D1FF4AFF5DB75A20799FA,SHA256=EA155388211E0C3CEF2C99BD5F341C9F93F1ECDA6F21096DB6F9DB2110686A52,IMPHASH=65E10DCEA11F7117C161DC7557B87689truetrue 23542300x8000000000000000322920Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.381{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8A09D1D2FB053AB28E4D9D648CDB5B6E,SHA256=F96E5F05AEEBA529AA1D289296894A2616A4DC3471D2E6472BC8A9EE49312054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322919Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.194{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A7D7708E19A6C7D273AF7BE04028F,SHA256=4CE0932AF2883FE605C4D2F35DE69AE6C00CE2FEAAB5B90F258987823F73BD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658truetrue 23542300x8000000000000000369259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\CompatProvider.dllMD5=E5C1D020198EBEC1D5ABA640C9A600D0,SHA256=A80FD2846E05AB491BDAAFCE8854A04549A852066B82B90D757D9B6A44ADA8C8,IMPHASH=2CDD615C09EED7B572606B2A0C0EFD2Ftruetrue 23542300x8000000000000000369258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.232{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\CbsProvider.dllMD5=D4A64C7C50D0C6BE9F8770177E2264BF,SHA256=E6505F9DBE17DF9E7E52B5FE1720E1F6482B25D262A47A320CF438C5FD5A5797,IMPHASH=99D5DC4FF67AB12670853DD4E32E8358truetrue 23542300x8000000000000000369257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.217{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\AssocProvider.dllMD5=56CB83B3454882509791FBA62832BC87,SHA256=5B01524CC03B6EB58CC9E0FF479014EAF89EE7FDE2791BFF871BC90274D200AC,IMPHASH=83F73507B4613B09C6FA825535D8A81Etruetrue 23542300x8000000000000000369256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.217{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\AppxProvider.dllMD5=8F6792DF9EC54934B76A68B1D7B66ECA,SHA256=E57CB2D5CEC5E1354F4E31CD08ADA02FCAA0E2DEA4B28C8F61683BFA3E875C05,IMPHASH=F1558CACACA712554EBD5926B4B3FE52truetrue 23542300x8000000000000000369255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.201{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-winsvc-l1-1-0.dllMD5=09934F0F7227B9489D117C26EC20CD14,SHA256=CBE408A0AFF90986A6A7DDF022F96302B4FADD08A0C3C166CAC7A64D6ABF041D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-private-l1-1-1.dllMD5=484ED248F1A72C6E4E6F6C3F5A3339ED,SHA256=00E14515FE6FEBBF3C2CFC89A6F1A3D6F48B3E7A5EB08D50DADF69CE3F34CC47,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-private-l1-1-0.dllMD5=FEBE55EA884F3C1EE45ADE2734AA6BE6,SHA256=CD51DF334A600117133C9C8100DDE766D980456988FD333A40BE5A81C8092340,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-management-l2-1-0.dllMD5=0D45D811001E0A7683A2B7CA8A883874,SHA256=F44E2A85D7507159AE115C85C3497C57BE4ECB2D6ADDB30A534110266D56F92F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-management-l1-1-0.dllMD5=C36912B3A28B06F5BB24FE9BE49DA4D3,SHA256=D737A832C0D595E8E52846C2D748B911D7155E372F43FBB10513CFDE0BBF83B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-core-l1-1-1.dllMD5=A86D518BCF3970C17A1768792FDF37FF,SHA256=AB5CC1B14D6BB708B5C87C2622DA886E2119A6997E08108CCE36080385DAEE71,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-service-core-l1-1-0.dllMD5=A329C75641638E2FFA11087F614FD4C1,SHA256=5071AA303D436407D195EF37889F018BE7E350DA5E690793587458D4C6D308DB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.185{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-sddl-l1-1-0.dllMD5=C6C6C3E4D7CFA93246362901750A94D9,SHA256=6E274ABE823EF8B30629A99D9F942794C9FE6D003021A0C5085B49A7D8611DDE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-security-provider-L1-1-0.dllMD5=207B5716605CA4850629F3E2FFFA07BB,SHA256=BE6E6284F69C76BE6366EA8D44D85BDBAB6A71DD42E8B5575CFDF671AD58DCA2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-security-lsapolicy-l1-1-0.dllMD5=FE7AD7265E296947172B8C491E8109D2,SHA256=4D231AC65F0F54BFF45CACFFE7DF3109CF87F78D14960EC8F03654E605AC8ABF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Security-Lsalookup-L2-1-1.dllMD5=EBD6475839F5C99FB8855A80E0FC2AF1,SHA256=F519C7AA6930DAC83A3045CEEE42F64F26FFC54254D5ABD1B0F7D99C47569A30,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.170{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Security-Lsalookup-L2-1-0.dllMD5=AC284A6251F5D26633AF48D918D09628,SHA256=F7A34B793AACF75DA4EAE843B6088C0BAAA8B835EA5F6A65E72EBD9A1479C8A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-cryptoapi-l1-1-0.dllMD5=DE0A49D4B2E9A5FA6762BD191C622B32,SHA256=AB12FEAF15CB313812B01AFE1198B62E72F7702D140830ABAD2CFB6251E82A7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-security-base-l1-1-0.dllMD5=DC4B661366FEAA4ED54FB1004D9E7A3D,SHA256=B4018F8F249CE087DB46F61A0C2E947248A5B71576F511F0B3650433607BC663,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-EventLog-Legacy-L1-1-0.dllMD5=B8B7B02C3C66638EC0BDF49BCF04A680,SHA256=5D1103E89199731DFFF7BF89D7F6484C038D47CC04F730CD5233EDE488272E6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Provider-L1-1-0.dllMD5=FEAA05CE6CCB92AA7B2A2C58C049891A,SHA256=31A4AE262E179DF4CA406E1AF90F651935657BB5FD990C675C67E37D5B834CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Legacy-L1-1-0.dllMD5=88450242D5350529CC8E46FD9C3F3B7B,SHA256=312B6BFC89B551F2C4E8FEDAB316DBE01F190CD5E67091AAFB0E6F67616DC745,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.154{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-Controller-L1-1-0.dllMD5=00A27A81EAAE90C9CED7063013877357,SHA256=DC4EE086FC046E1D7A291EA3B8B13E77B7A252B5C283B8F6C9CEC729070B7822,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-eventing-consumer-l1-1-0.dllMD5=61958A4BE8F944BAFB29DF8009541FCD,SHA256=3B7CB5622BEAC7D633A84EE2F7336C8DE1D3D1AA10577D98020081AB67761FAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dllMD5=8500E093D6B36DF1AF271F6EB34227CA,SHA256=99E2CD36104D3EFD4DEC88AD0F4BED1FD1BBFA97CC4FB29DB7F7136290DD6B70,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-devices-config-L1-1-1.dllMD5=5A03B636125C21AB918D2CB04843DBA8,SHA256=C914CD6FE6C7B16533763BC789EDAF67D7A19C26514C927572051C4379C79FC0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-devices-config-L1-1-0.dllMD5=0C61A8D9CF9BBF6D771BEF0FF4A43E23,SHA256=66807B95E13944D52E9A7AA1F1A41E632FAA46F6B48F98451618DB3845622577,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.138{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-xstate-l2-1-0.dllMD5=56A386E38B637FCD96CED04CEFBCF8DE,SHA256=A5BE1E3C71A3A5C8EEF4BFAD9D0BADC97BA47B2B9911CED4BD1B8F65BB8DCB77,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-xstate-l1-1-0.dllMD5=6A982D13DDB295E59F90FF23EDD2E60F,SHA256=3617DBCADFE370463B4DBB91C1C6222923F16EC362DE29C2CA3AE4E72C9ABB64,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-wow64-l1-1-0.dllMD5=AE7573E1DC370B9A8FEBCC17A6C82FF8,SHA256=59A473D1AD7C181C89AF00B966CD107F1846CDC526009C4807A1EAE3DCB3731D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-version-l1-1-0.dllMD5=5CB34501C2D784D31281FD526B0BB963,SHA256=E45B73AF0C35F05B01CADF6BD4F67C1497586F4C4F9A16F0448BA751E16C4596,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-util-l1-1-0.dllMD5=212DA9E9AD6BB61A3554A4174BA558CF,SHA256=01291D3895EC5BB0E658F91FE1512AADCBB6D8F1154BC6023076554AFA05AC1D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-url-l1-1-0.dllMD5=198A08F8150D7575CC207CFFCF67D66C,SHA256=86F6DA0F1D075B7E1678DF71689948FEC334CFB10316FEB40E5107135548F9B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-timezone-l1-1-0.dllMD5=4D7C132D9742FFA44248B1BBF32020FB,SHA256=58A65C1938DCDF64D2930B037E9D133A5ACDF46365835782869D3216D3CF2CED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-private-l1-1-0.dllMD5=A9BC53B62CD4B269B8385ADBE0AE808D,SHA256=A30003AB0C020E433CC5296E7E150BB11820395D439062FF7FD6D7F449C4C5B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-legacy-l1-1-0.dllMD5=CAC86F4298EB2D239410B3338780DC34,SHA256=1D99842180A612D63F1A8B137A9BF0375B7113AAB325916BA4781AB8A7B68E7D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-threadpool-l1-2-0.dllMD5=D32DDF80AB3F1F96F431E5672DC1F387,SHA256=E2F0F0D46082ED40D042BCCD47F4E917707CF884672C5919116126914FAD4572,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.123{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-2-1.dllMD5=E83097DFE144367FA2231828F9FD89A6,SHA256=69FA978126192DBAB6AF11C9878D9C2BD1FD7E3FC899300244DFA4A1AC7ACA31,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-2-0.dllMD5=8D842EBFFA7803451A3AC7D6907A6AD9,SHA256=808C22A733B5F6A4E601605DCF4043C9952CEBE825FF2622097FC5B4FACF682A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-sysinfo-l1-1-0.dllMD5=376E34D4A8F94C94FFF063810717612D,SHA256=5285A11016967E2017A8187882579CBD722371D0B7497B356149FC447160A521,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-synch-l1-2-0.dllMD5=E19F4FA6A6313F00ADE8AF26649A0BA1,SHA256=386F6CC0C3CE0C904A44A2FDDD11B2E5EA7782B08E69FD961DA5BE3C32BA5C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-synch-l1-1-0.dllMD5=95088E453B41A8B50E7340E6DE9CD09C,SHA256=E4938C16CA5FC7A8C9D87E4201FA2F28992026F5858F36A2A44EA22B5BD0889F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-stringloader-l1-1-1.dllMD5=FE1D00B19175DE6E9729F709C508DD6B,SHA256=D726F32AEB323F4DEA55D35441D1FF06BF3E212846A6B86D9ADC8F9DD1307B57,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-stringansi-l1-1-0.dllMD5=43F8D61E2EE0E253B973EFED0B3EBC8D,SHA256=1B9FA225A474D42FF8360141C8BC1EE1E7310958910931AC8E5A213E957700BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-string-obsolete-l1-1-0.dllMD5=92C0A4E592B5D773C562A36CBA4E6E47,SHA256=5191E82E921398310FE9FD333F5CA44E6233358499EDD5B33BF8E9F0C9D3B88E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-string-l2-1-0.dllMD5=3E1902AF98905F00E62B1EC827EB0FC2,SHA256=503443DBF6E6E481EA1C661109CE17B3D55C4FEA001D77F11CD032BDDF64FD29,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-string-l1-1-0.dllMD5=D30D4587D051D288D1023DB0D826295A,SHA256=DFE66C8C205C95274565BADB7B3C19043917F6CD07A8DE34CE241EFFF9EA6676,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.107{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shutdown-l1-1-0.dllMD5=1D8D1283F8279BDDACF8745AEDA3DB2A,SHA256=21BF3432160DD9851CAAC716DF3A41E39428A84BA9B9D3C63CDD300CB6928300,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shlwapi-obsolete-l1-1-0.dllMD5=33BEFB60C3DC3E93FCE54A0515100181,SHA256=24B3FA4C5E8AB463BD2CFB704D7BFA7E8429726852EF582F94E44D7691BDD1FB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-shlwapi-legacy-l1-1-0.dllMD5=699CDC66AA090D13EFF451F2006944CF,SHA256=6212B2B8CF5533F9DB6E366BBADED7A8D6EAD6667EA6A425B6987102669D8D96,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=F9672F68330CD16B0D1FA3A75B123AE8,SHA256=C5938839A3DFFBFBFEF432D0A95D0773375B4758FC160EDD04383A4B4273A18B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-registry-l2-1-0.dllMD5=BBC015F33C0C3C2F9FC58C466BF8A30A,SHA256=1ED3511DC98353CA8E9B22A40C318BBD24484C25C171886B06B22AFD396ACFE8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.091{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-registry-l1-1-0.dllMD5=D132FADCBF190A1C68070E6D488E67D7,SHA256=E6F51C07641EF931C4F97E5D966242BB96A156A603A7769BEAE0EA61E9E25486,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-realtime-l1-1-0.dllMD5=792C54B79CA333ABBB51BE66815A98CF,SHA256=1E3B3505560AB3E641C386473A83AA194D94CD5BC6CC4FA718D003D1FF899601,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-profile-l1-1-0.dllMD5=C4E53285E8C51DCBEFF5098215759D69,SHA256=320A6138FE915BE7E83F4CDC2024531948185C3BFC939CB367A53F1AA74BFB2C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processtopology-obsolete-l1-1-0.dllMD5=99E3ACC47F10000AE67A577F5893FD5A,SHA256=AD01524D3FDDC25C91292808E7B333B587C902E996E557885E79CC10F9A66214,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-2.dllMD5=DABFBC1EAB7AEE555F3BAEAF981EC7EB,SHA256=3070505B0B060D9EE9C2B699A518481A22DC15ECAF9603089FCF9EBC022179C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-1.dllMD5=8C5DF20B2E2DE6BA6717A597A951E4F7,SHA256=BE42C78E3F21CD6E74811F27E1B76C4FE8537FB149EF34EA455F22AAA29720ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processthreads-l1-1-0.dllMD5=3D0CD1FE610E55E8C151162004A1429F,SHA256=D43535460D9CF2F2D348E9F2027DAF9FC0C0C906D5066E15F86332C839C94651,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processenvironment-l1-2-0.dllMD5=BB20192D0B22AD2EBBF4960B66D2E164,SHA256=23E758C4F7646AACC2DE8B8930BB272115F726F27E5437DF606E1C2328FA48F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-processenvironment-l1-1-0.dllMD5=2CF62C9CF255C15AD1C8B1CCDD9453D6,SHA256=35CDE2048D4EC8D5D02B1CA57B81B8D5F579541EDBAF5DA4485A6323B8C3A805,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-privateprofile-l1-1-1.dllMD5=FA8EFF9B35BE58F70CD0014DAF108819,SHA256=835F086B0884E8E1689D661657F258FA1E71439672E9F0CC0140D614DAB6FA6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-privateprofile-l1-1-0.dllMD5=C8490BC5ACB353CAF140CB12670883A2,SHA256=85F3FE5E802843596F466D479111658B08271E48CC1821EB17E6D299D523C95E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-namedpipe-l1-1-0.dllMD5=D8F1E545D80C2045881C7F0525558D80,SHA256=0D9C3D6A6DF364F812D370258C1B3D3F97584E9F7D36569D06746EBA1695D368,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-2.dllMD5=9F77AA276A31F36805DF003F9E66BD99,SHA256=26425008D97A2EA8B95AF52BFE47CF5DE1DE9BB3E25DF77123B85C895192D7D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-1.dllMD5=728A5655624D5B091E8E216BE90D9EF9,SHA256=A2B17F63065CC760FA9CF5D2950D0E13613997546C90CFA1C094CF32171D49ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.076{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-memory-l1-1-0.dllMD5=BA6B6729DC95AA60AF31A160E2CB4533,SHA256=AA433713D5D1DB4413E9F5D938C0C452BAE8EB1BF8CD011803464BBD893BBB08,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-localization-obsolete-l1-2-0.dllMD5=B5727AD79BEBAAB6E6AFA381A28A8E9C,SHA256=C0E101B6BCDDC28A9BA24C7796BBDAAEFC14459E402FD53053F3C23E0D84D040,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-localization-l1-2-1.dllMD5=FD9B6F1EA88B7167E6EC227A61B90888,SHA256=2FEF21096468EE5C6BFC88971AFDB4CC07F6C4669375561863B85023C15684AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-localization-l1-2-0.dllMD5=C8420A86D981BB6AA0D32001D234639E,SHA256=2E93EA8BB070C07C39B7F042B7D9843C4B74B3D4E69C8E33D89B0574B2D1D43D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-libraryloader-l1-1-1.dllMD5=787DCDC02E39A27A63B857FF6E819593,SHA256=91A7DEC7B636C00032D122CA04D4B8653B13E1211C54A4184F3955D2398C2E2E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-libraryloader-l1-1-0.dllMD5=AC90FCC4E819CD2EEED5D09A1FA42BAC,SHA256=2DA68FCBCE619BE5A90501F971467B7A894C6A705659346729E1E4E306EEB7D7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Kernel32-Private-L1-1-1.dllMD5=E269D033D63A117DA8F3F855B90CCBFD,SHA256=41437C84BF757CC5758BF381600D0DECB00E8F8F56F11765203B7880AC4CDDD0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Kernel32-Private-L1-1-0.dllMD5=58B0B7C61F098BD1E73E9C156CB38C64,SHA256=C366B92E7048081C7B336CEAB970BAA20AFDAEE2456820AA38360D1429C27669,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-kernel32-legacy-l1-1-1.dllMD5=912D93DCBE67A1373D93BACD0174E3ED,SHA256=0B94CB7472E0777AEFC1B3208ADDE41B893B78B3223F515FB86348D3362624C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-kernel32-legacy-l1-1-0.dllMD5=8E788763C9CDB6E5D1A313C08F7D621E,SHA256=5604FCC803BE14AD10C7A2372FB19BC80D43AD850109A670676982A4EC961473,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-io-l1-1-1.dllMD5=DC7E345A08B64DDD90906151E1D566E9,SHA256=ABDC082DAA40FCAF14E4E554DF23CFC48533F5A2157BD540BFEC49EB8E31E403,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.061{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-io-l1-1-0.dllMD5=A4381D04E233B96B657262DE9B31594C,SHA256=17BE2709D85E6B922BDF5D357FB4CD9416234F8E6685226F5EC776E8B3B5A678,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-interlocked-l1-1-0.dllMD5=39646EB20F4366691E3EFF958C99D1D4,SHA256=262D2C2EBAFFA4276F54B05A5A1DA125CC9DCCAF76EAAD3AAF7B23D54EC33C8E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dllMD5=0C5DE8F3B6CC9B44ED0A0556A02F4867,SHA256=D08261783A1749B08F7423923B00FD77E3B44265889B1F550A64239586BC8FC7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-heap-l1-1-0.dllMD5=51EBE577149EABD170684C2668F967ED,SHA256=0091D6C33047D8EF6E0F09E049DF2CABA5EE6B4F5B1870E0A369D3BF6DB72330,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-handle-l1-1-0.dllMD5=F83CB23123F3E4885547ED29F2BD2360,SHA256=495A9EC7C50D6D72F209E1F69C9B0C292D8D32FBE79FE675128786F8E351B988,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-file-l2-1-1.dllMD5=8B79E85DB9AA6D00794E5151455951BB,SHA256=EE600140599138132439FA9FB9FA6B028A9BF2A206A856CCB1106EFF45459C13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\API-MS-Win-core-file-l2-1-0.dllMD5=455C1AB890C154076E0E23A42F10B6F5,SHA256=DB95D8AA71A8E0A54852C1A83E42267C72E26F2A111AD41146096BF26825FF62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.045{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-2-1.dllMD5=A9808572063E5A5649EA59F8B40FC7A8,SHA256=D4FD5081924D4B544188A687BD37127E0A38AF310E77C55F6EC22896B95B3C9C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-2-0.dllMD5=4438E1D7952A77B7F71FF45EF821814F,SHA256=1C4FA5120E310E49C8112ACB6E594DB2F581AE4B6BA6241EEA4301E0E373959F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-file-l1-1-0.dllMD5=FF5C179E19923B65E650B11283250D50,SHA256=CF84455BC2AADF2960F0AE4D3691BF3032F412578CB2730A27848C6B26D00225,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-fibers-l1-1-1.dllMD5=A263189D905386A2A91CD2EB39D3365D,SHA256=7392027920D102DBE4C2C15590CC471063D6B1456CAA797BB71F8973C60B47FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-fibers-l1-1-0.dllMD5=A1827E232474C845B7A495D1A4CA6169,SHA256=A95088251923F1233CA4F5675457D6D6B2A1601734D4B5451420298491864746,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-errorhandling-l1-1-1.dllMD5=E98BCC3FA25D6DB36D50786EF08DBADD,SHA256=7BDA00F42BE64BCC1022EC3000FE2582CDF4CC89083D868ACA9DCE982C98C52C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-errorhandling-l1-1-0.dllMD5=14E8A42D84E459F617344438903680EE,SHA256=1FCB6E1908C13B5184373E83B3C13FCF96B55E4FBBC8AAF4D6E9DA604DB75848,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-delayload-l1-1-0.dllMD5=762D2E52FAFE433C50648FC23D7C3E76,SHA256=53238588E10FFAABA96C751D34181BA04A869A0474757E79D9FE82ABC3DC7CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-debug-l1-1-1.dllMD5=1652E7B742F30832826B48E62485BFC7,SHA256=0362AFCDFB6CA89CDEE0DACEC94A5E45D6910B5337343149007DE2443050D154,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-debug-l1-1-0.dllMD5=E02F6786930435C736D71E9B6B898773,SHA256=4C0F43EAC3834878F16175B17427C0195A3213B7CDF9702447667D703AA29B54,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-datetime-l1-1-1.dllMD5=78876D83AA27E510EC3DC3355D034B92,SHA256=44A696C4626AF85EA565D651D7FAF5E21B6EB0C6EE47EE93419D8A7BAD565278,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-datetime-l1-1-0.dllMD5=CF9560A4450AC70C51866581802AE8CC,SHA256=A7A23DC37F028D38D2836CE881FCFF1FD066538588B207BBBCC3B1AB96E3AB62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-console-l1-1-0.dllMD5=893E267BD0B91FADAC2A2BAE70FD0400,SHA256=17D17AC0383117E9A14D7687ECAA3B27AF1C71B89687A5C3E5B8761B2E64EDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.029{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-comm-l1-1-0.dllMD5=C7EC73197892D7F63059C10D19BD5D90,SHA256=768E17ED08111FD22BAAC8FAC00C7DD87F0E57FEFCDAC58CE04B868528B2FDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-core-com-l1-1-0.dllMD5=08A5A3129DCB52F3C4E51EE3C4A827E7,SHA256=3C6549832275052BCC2234CC4433D95407800ED65359F5147C4762EE0C71F712,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000369161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E5A-619F-2301-000000000F02}4332ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\api-ms-win-base-util-l1-1-0.dllMD5=29CD6DDC6BADE9098B9A4402C6336D62,SHA256=B97C475AA8241C9B674E8C51C387AFAAA7977B036D9E2F7FAFB6CACC11D985BE,IMPHASH=00000000000000000000000000000000truetrue 534500x8000000000000000369160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:29.013{27B459FE-5E7A-619F-3901-000000000F02}5360C:\Users\ADMINI~1\AppData\Local\Temp\F6DB3D85-3CF2-48F4-AEFA-BF5B9B9E4FA8\DismHost.exe 354300x8000000000000000369314Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.303{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000369313Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369312Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369311Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369310Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369309Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369308Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.560{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369307Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:30.529{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E11CC20887DCC70F2743880A6CF8E2E,SHA256=79D582B7BB7AB362D2EC9BCA31A3D9C4A7FF854EE4138F8ED449710C41CE38B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322923Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:28.556{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49941-false10.0.1.12-8000- 23542300x8000000000000000322922Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:30.209{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8A7709A85AADDD33C952E5013EBB98,SHA256=C627F65A05EA361B1C35F7E98471CBE14666156BC0E4F192FF3DE5EAAF1B5092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322921Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:30.178{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369317Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:28.902{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-46263-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369316Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.576{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFC5F44C97DCDF36FA16625410132F2F,SHA256=9E6E11EB2CEAE215B2E16BE15A8FB8AED583D232E97BE0C855886F4BA1FEA6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369315Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.545{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD28327F1BB9BC4E9FD82D0D16A921C0,SHA256=18EDB61CE3DF042FA57AEA43278C8D3F33BA74DFD2B1FA09ECD398F1B7AE601F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322925Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:29.727{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49942-false10.0.1.12-8089- 23542300x8000000000000000322924Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:31.209{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F078C3F48049E3DFBA76CB8F1B348885,SHA256=F5D20406810B728375AD4FE9AEB3DF1F84DC488A1C899F958E8E0F67F07EC42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369318Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:32.545{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3C47414A1F9947DAAC9797B6003244,SHA256=916EA0F93B368E31EEADAD3C8718BBDDF232CA8D0DD0A70789F5ECBEE50D261A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322929Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.225{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D01055B96BC1C7D5916D57CA7CE1A0,SHA256=D2C592274B63411B17DC760351C96CABD3F316DAC490C168F351AAD1F44EE00E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322928Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322927Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322926Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:32.100{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000369320Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:31.089{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-54146-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369319Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:33.607{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2362395FD74852A495FC15BF5D640E73,SHA256=4E705E8A995AECA4F8C098F4A8B8C32D4B1A457146DBC458BB287D53E204F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322930Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:33.272{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6E6B2F8CF79699CE5F0968A73EB8CB,SHA256=2E195B33A99F12745AC6D3373A2F4A149B0CF2E3A2A1CB739B1E8DD99C720166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369323Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.623{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D912595B69D9E2EDE6858E242E34E4,SHA256=1CCC0CBCA48EA7D9DD60AAF4B8A7CF8D6E01B1F7CDEE4F652FFBAEA9D193AB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322931Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:34.272{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CD2B3336BEFC3E1ACA6397CB484E47,SHA256=6643A5F997467C9F7BD31885030DD5A9F921C360EFC21E74A9159A073DC5D39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369322Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.388{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D357F49890E429A06D1B6B849FB03BE6,SHA256=81B08DE7AC98C1F52DD1A0ECED024CC970D8EC798B56B3057058B7463358E4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369321Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.123{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C8B1EC701A5F07733E2089C7B32ABA,SHA256=991DA6633972D91A06563E185BCDDDFACEF5C96038439FEE3E8D0DE03BF7B8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369324Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.639{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466A9EDC19CDAA4E1C5E8F84E6AC46BF,SHA256=F7B827C18DD5E77832D6F5AEF7C16BEB55BEB5329D2B6D917092AD7702E1CA16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322936Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:33.555{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49943-false10.0.1.12-8000- 10341000x8000000000000000322935Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AA3-619F-0100-000000001002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000322934Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322933Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.366{99D2EDAA-5ABF-619F-0B00-000000001002}6162332C:\Windows\system32\lsass.exe{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322932Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC2FAC266B1454EB9D3F5E8115F07BB,SHA256=41AFAC3371733CE51E4CB4D0CB394F9EAE72CCC59F67DCC9B084A96E1751847C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369329Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.371{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-49944-false10.0.1.14win-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000369328Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:34.161{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369327Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:33.439{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-4298-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369326Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:36.654{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6027E2F91167139E52011BD1034B6BA4,SHA256=43AD148824457BD5660C76D157F9B0D171F407E4641099174AFAD2C1D7D34F43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322939Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:34.921{99D2EDAA-5AA3-619F-0100-000000001002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49944-false10.0.1.14-445microsoft-ds 23542300x8000000000000000322938Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:36.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BD07E366966BCF8F49D33F9E6D4608,SHA256=0355E8713DBE95F823804F06FD7A2CB6E07ACCEF3FF2FD69C6FA4F34A4547575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369325Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:36.295{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE75876EAD14530E6AAFF705AF6390DF,SHA256=DDE67A355BAB2AFFC9B35541C5D9F3A4EBE697E0A108B679C27AB575BBA4BF2D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000322937Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:00:36.256{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x4afbe7ec) 354300x8000000000000000369331Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.239{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-266.attackrange.local123ntpfalse10.0.1.15-123ntp 23542300x8000000000000000369330Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:37.670{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F9008BD0E1E6F867C9280AD9CF1A8,SHA256=C2324FAB089AF59BEDC0E38964DE8866C314719E3198C501026B46A7AB5B1C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322941Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:35.789{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-61.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x8000000000000000322940Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:37.350{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855E0BB2C0D97E80EDEDF3DD1D6699E8,SHA256=1B4F70ED2CC6A0E17518ED9159F89A1132F8B373EBA68AF3E8EBDD43FEA3C230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369334Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.826{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=830C2625F8679A2CAC9A69AEED128751,SHA256=69E592817482ACCED0319DEC8D25CE3F73BEE448B36709A427B29F58008294D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369333Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:35.966{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-12617-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369332Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.670{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76838CB6508E89842AB8F8B0640D2A31,SHA256=EFDD2A666FBE3944902A4916CDE6209BBC1D8B83FEB09D5FA462B0F8A2FA89CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322942Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:38.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D078260832A946ADDBD9860026AA9F,SHA256=9ECBCED01C763916CA1D65454AAB490D830CD0FC2E7460D485C7A48EFA46EB42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369394Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369393Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369392Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.796{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369391Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.765{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369390Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.733{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322944Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:39.398{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96EB2000443E0CEFD46BE2603896CFB,SHA256=98B0F964391C70DDB2B25B40063DFA43A4920EFA72623ED904883960DD4915BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369389Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369388Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369387Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369386Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.656{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369385Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369384Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369383Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369382Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.624{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369381Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.608{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369380Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.546{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369379Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.546{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000369378Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.499{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-11-25 09:53:42.788 23542300x8000000000000000369377Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.483{27B459FE-5C05-619F-B200-000000000F02}4748ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=E3C42322EB9D0A3E07C0E31B62E4FC00,SHA256=6A9B273357366326DD81162D7E727C71D9EAAE8CFF22202AAF79B0F3461E92C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369376Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.468{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.ps1.lnk2021-11-25 09:53:42.319 23542300x8000000000000000369375Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.468{27B459FE-5C05-619F-B200-000000000F02}4748ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.ps1.lnkMD5=26B0DCE4C2D45728BED2C3598508B9F6,SHA256=12FFC3C59F47CDE04FD1D9D15ED62108C57078158CF1818A327798A20623E725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369374Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369373Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369372Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369371Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369370Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369369Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.406{27B459FE-5C05-619F-B200-000000000F02}47485912C:\Windows\Explorer.EXE{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369368Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.409{27B459FE-5EC7-619F-4701-000000000F02}3012C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\System32\notepad.exe" "C:\Temp\1.ps1"C:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000369367Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369366Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369365Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369364Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369363Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369362Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369361Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369360Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369359Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369358Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369357Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369356Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369355Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369354Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369353Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369352Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369351Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369350Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369349Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369348Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369347Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369346Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369345Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369344Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369343Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369342Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369341Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369340Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369339Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369338Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369337Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369336Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369335Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:39.029{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322943Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:39.303{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC4-619F-4200-000000001002}2984C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369397Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294F929C63B040D22DDE4C55F77E5D7E,SHA256=9B9A87A3A6B4E05F24ED7E3EA78357F840791E795B2DC3A4B26BC8B3AC442576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322946Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:40.976{99D2EDAA-5AC0-619F-0D00-000000001002}7763272C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1000-000000001002}928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000322945Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:40.429{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7A342848FA87CFE6B8A532645049C6,SHA256=098A8243F2DA49A2C471B2D94012DC82AD3DB6AC79DA6BC8FACFDF1B14750AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369396Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.421{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=649653AC9235FE5CF527DA66D930D3B5,SHA256=D23860ED147091619E899E7666CCAE3EB0D921D765202B7771298F806B46CB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369395Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.108{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92960CD349101DF56EAC2FA2BE7DD7E,SHA256=E83DA42085EE81F206B2541C873F9CDF29FF17D28C54641A07CD912384C7ABB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369399Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:38.674{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-21021-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369398Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:41.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777F618460B1D82934A795D7D4890AC9,SHA256=F8C43129F41A5C1CAA0F29324CC07C3491648EED992A7BBD927FF33FBF4632AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322948Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:41.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37416586889F0A72423BCB6C7E981DC,SHA256=AA1A8F2F644882F9CEB898A71C2BCF2295E3333C55C83AAFDC324E48DC3EE1AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322947Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:38.696{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49945-false10.0.1.12-8000- 354300x8000000000000000369402Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:40.180{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369401Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:42.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D9D1B5A89E5BB60E1DD278A3DB90D,SHA256=773BE3EEE4F7768ACBC82B5BFB1E25D1E147CD42BC9CEE7605E78E832DC01CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322949Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:42.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03BD75A6798EED7016C1258E140C2F1,SHA256=26E6927C87F67A699F1CBCF6F6AECE405C0BC80CBCC315E294810C8D6AED12A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369400Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:42.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA08C69F7DEA790450A4429F4F1E16D4,SHA256=5EFE2E563D22DA0AAA61630A8BEBBDB1A947E7EA06AA2B71487A67EB00E49D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369403Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:43.890{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020D7797F1D8F8DD04452A83FF3405B0,SHA256=6E78CAD6172C1D8DEADB53A74305CA48C31D4C60211DAAAD0B97787D90160E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322963Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322962Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322961Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322960Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322959Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322958Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322957Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322956Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322955Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322954Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322953Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322952Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.867{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322951Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.868{99D2EDAA-5ECB-619F-0C01-000000001002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322950Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D9D4C09E7C9CA49E7D91E698D35B44,SHA256=3AFA44A728AF73BC031BB8D013D2BB8B239FB0AC3A14D59EB0B8126FD60A4350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322966Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:44.883{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE76B5D38BB11AD2129C70453A21F21,SHA256=998B861A92AD3A06D5DB767E801A909DD87B2675A73A7E2AAD4F17D3921024FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322965Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:44.883{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65ED22759212714CA762C15E6104D6B1,SHA256=5DE2B7BBB27A956AA3DC365134DE919C1F45EE31F7E4E73FAAAC0B28BE7771FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322964Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:44.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9694D66D79AF9628E0A5AA5EC390592,SHA256=562AF9707072C1285FC9723D190B1C5FCBB95FAFECEB1B386F49D0850466D611,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369434Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369433Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369432Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369431Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369430Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.874{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000369429Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369428Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369427Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369426Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369425Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369424Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369423Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.858{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369422Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.827{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369421Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369420Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369419Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369418Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.812{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369417Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.390{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B867363B3FD1EC8F320236E8C93B6B5,SHA256=159D9A8EA00D1AD70357A09842C58A0C57AE387331F9847B154BB3F4E22902A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369416Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.249{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369415Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.249{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369414Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.249{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369413Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369412Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369411Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369410Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.233{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369409Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.218{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369408Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.218{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369407Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.218{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369406Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:44.231{27B459FE-5ECC-619F-4801-000000000F02}4756C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x8000000000000000369405Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:00:44.218{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXEHKU\S-1-5-21-3499523948-2023901041-105020508-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFFBinary Data 354300x8000000000000000369404Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:41.570{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-31324-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000322981Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.461{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C676CA4ECD02B85F842006F09AF453,SHA256=432A88010858C016E4CE303BEA71B255C7628893357B3D1A26E44C6468CC8614,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369436Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:43.633{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-38592-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369435Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:45.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF97F6B660DB0FB5788629288C8FABB8,SHA256=BFE130B417F1BFA52AEAA36A5E83770E296DAC6534E1D08633BF03A30B7D185C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322980Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.195{99D2EDAA-5ECD-619F-0D01-000000001002}11403320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322979Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322978Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322977Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322976Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322975Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322974Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322973Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322972Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322971Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322970Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322969Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322968Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.023{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322967Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:45.024{99D2EDAA-5ECD-619F-0D01-000000001002}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322997Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.476{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D826BCF0AAF8EE76B8B3AAD737B2C4,SHA256=BAD9191752C4D48C0FBC5A0F6483AB05965842117125F51D94B9B993FD4940C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369438Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:46.359{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A9161EFB3511928DDBFA6E9C8A07968,SHA256=8AA04C505B196852D1C62E990DE5109FB085372F5BBDE3170786D36DDE7ACD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369437Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:46.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E376131CE6FF3F9E17DC0991182BD3,SHA256=37FB72A4024B0451B39B4A91BB4AF062B9B0D3AA49E1D75BD7B52EA12BA620AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322996Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:43.760{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49946-false10.0.1.12-8000- 10341000x8000000000000000322995Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322994Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322993Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322992Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322991Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322990Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322989Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322988Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322987Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322986Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322985Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322984Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.086{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322983Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.087{99D2EDAA-5ECE-619F-0E01-000000001002}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322982Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:46.070{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE76B5D38BB11AD2129C70453A21F21,SHA256=998B861A92AD3A06D5DB767E801A909DD87B2675A73A7E2AAD4F17D3921024FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323013Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.742{99D2EDAA-5ECF-619F-0F01-000000001002}9602580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323012Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323011Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323010Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323009Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323008Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323007Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323006Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323005Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323004Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323003Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323002Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323001Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.570{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323000Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.571{99D2EDAA-5ECF-619F-0F01-000000001002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000322999Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.476{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC95DC89762C722505E48B3A8BBACBF,SHA256=DA4740A808FD7E3B2E80CC1A8ED788F0403C53DDF46FC9D7B0765F272ADDFE0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369440Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:45.257{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369439Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:47.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD66EDB74563E8CE395DF3562E0C565B,SHA256=A91169C850657B37155E31C5AFE7081AAD6A5A7139C7BFAECBC2EA898C2A76FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322998Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:47.101{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0823D59CA2B45516A584659216982F7B,SHA256=D4AD73C1C3BEEF65318DD705D29A3E698BB3F77E43A9871660C2A5AFF0775B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323029Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.820{99D2EDAA-5ED0-619F-1001-000000001002}2243772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323028Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323027Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323026Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323025Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323024Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323023Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323022Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323021Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323020Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323019Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323018Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323017Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.648{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323016Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.649{99D2EDAA-5ED0-619F-1001-000000001002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323015Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.617{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8BF7E1C3A6FDA9D179380E358A65B8,SHA256=19C84F067476644B739F27E37F236171921EC4EB252DC7C365035C3A848EF45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323014Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:48.476{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D1E4A81462A1CE8D189F0FD74A7DBC,SHA256=CE838C43BE7728EE9015ACFA8DB3C1112D575DA3451787694847D8E5E55881C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369442Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:45.682{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-45828-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369441Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:48.030{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351DEDAFBEA3421452ABF311DF581180,SHA256=02DD22C410AF47BAC08C1ECFB509F24600425108D7E96FEA2D4FBD486B4114A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323045Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.664{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC482822C8CDEE85B39A9F8A5508FA07,SHA256=602176187176072FB94A140CCE2B31AB67F0B4E70609D092D5A144569F651B62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323044Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.586{99D2EDAA-5ED1-619F-1101-000000001002}3484684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323043Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.570{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC97D31D79E036430F3E029F915A8DD,SHA256=900EC1A93A242890AF386C920B8A5DB966CCC2BD969F88D961150959AFA01A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369444Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:49.609{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=195588FE8797AF0CE690B7681826C867,SHA256=6A94B72B5DB9BE8737D6DF687A854D9A545AC1331379B7C38B09CDC2BCEB39FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369443Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:49.062{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2777C501A806B7C1B474CA29F73F3794,SHA256=87A1CE5F77F49A0AFEF19848865957F23DFFDE8970C7FD8D14C6ADA72DA35F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323042Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323041Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323040Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323039Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323038Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323037Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323036Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323035Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323034Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323033Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323032Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323031Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.398{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323030Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.399{99D2EDAA-5ED1-619F-1101-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000323059Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323058Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323057Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323056Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323055Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323054Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323053Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323052Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323051Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323050Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323049Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323048Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.851{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323047Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.852{99D2EDAA-5ED2-619F-1201-000000001002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323046Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:50.648{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38661C3FF3FCE2DA536D4571508FAC21,SHA256=88C11434E56E6007922B91FEF89FF6B506EA22C445ACEDF5CF0D0ED37B372B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369445Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:50.077{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112D5F0CF842838DF3228ED2EAD29083,SHA256=B6BA4B46F707C46C17800016408F5689C342B4C41D63C9B0F4C2D08DFE240126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323062Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:51.867{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BD37949F6EEF7D5C6CCCC75C394B342,SHA256=943A977FB3E276CEC49D0E206C1B1BE9EAB6694B38FC75958A26E9D7C5531684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323061Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:51.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD422AE15EB8C5D8A736DBF1F27C193,SHA256=45914DD8FA2643D4B9C34D074D5B63517C659DF493BA8E0B0EC634F35C6FDFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369446Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:51.093{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9FCD7194F35ADBD5D778031E9FEA5B,SHA256=76AB63D65387B22964DA321B2696D4DA8FA242EB8D7FF6CD9972D5361EFB76DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323060Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:49.620{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49947-false10.0.1.12-8000- 23542300x8000000000000000323063Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:52.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6A22FF33C9A9F1D9ABB2A8E6BC4E91,SHA256=BB3F7C8B9A5450AA2739377BE14615E95C14F5D63F27D91AAEFE7E8B7E767D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369452Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.906{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369451Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.906{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369450Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.906{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369449Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B60283866A47ADAFF6191C24598DA434,SHA256=75E632CA33E293BFEC01A4B0B5A523C9AE5AAB87AD84E5AB32A1260E815DA8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369448Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:52.093{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A74FAE0A4B3B45BCA08D89E451C801,SHA256=64773391BBBE926EF4A81560910EE688DED4E6400FD5184AA17CF81899AF9375,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369447Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:48.907{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-56521-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323064Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:53.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA57CEF4AC6560712D5B23B2E7181A3,SHA256=68B4D0049DF0CC838EEE9F56E7B73ABB3B335BBA4AC48C6DB0B31719EA42F807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369453Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:53.124{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEE812188CC8E7DD27C3E7FA37BD329,SHA256=FBC258DD112298257BA3552BB4EC385D5B2042A17C3821458865B365B4F75524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323065Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:54.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A322D44DD844F134E4E85914151CC513,SHA256=AC6D635663B971E7D706E508E84583B82EB57DDB0EA4A063C0A71A4011870F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369456Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:54.390{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D855B9FA95B910E32CFE14501862FF5F,SHA256=1C8E94B5E520034C75D07D9F827C133F2377B3475FB353739FD1FCF49D1B3AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369455Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:54.140{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91231D1260897ED1D403E900CE071157,SHA256=1454C2191318B3A4E6E29AF842ABEB99F4FF5B5944FDF9FBD1E84934FCCE6F91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369454Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:51.131{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323066Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:55.695{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654075B8D4B29E35F6DB6B99E2C7E2C1,SHA256=F51791C759EBC13537066C0D82158F81D329CD60C19E5F10C9688B5B865B635C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369458Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:55.234{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F861544BDFE27FDFD25400E29BA40,SHA256=1E6B2CFB95EC23D6A800F740195E5D7472136FEFB4AE9E33576B179B74ADB99C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369457Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:51.963{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-7938-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323068Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:56.980{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-016MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323067Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:56.743{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BAF23FA5348D9A514455E7448ADDA0,SHA256=ADB693364269354A5B481C7C5D4C804A4710F566AD3CBF14CEE5859474B423A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369459Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:56.249{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E99C406A9E9D7332F6A2191FC06279,SHA256=76390FA0485F05AC3B99089CF3A04A8F792AC8133A40AA5A7FE37CD238FCE2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323071Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:57.994{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323070Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:57.759{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281D28EEBA29A155A7C474BA955B6BC2,SHA256=11295CEBB065F6FEDB193C338AFEE3FCB61FBED0ACE7E258C3DF4559A8AFA4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369462Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:57.250{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D5A626545C075521C97FE8430D0651,SHA256=78D86A739742EADC9BAF4C77E12DD5EE581CB758383AB21C9AD8161FB9C41966,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323069Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:55.619{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49948-false10.0.1.12-8000- 23542300x8000000000000000369461Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:57.125{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EDA3F76585C00751E219A4671587278,SHA256=3D7A07913C6DF34306777B9B8D189EF0CA982E3CB9FC4BB7EA77CFE0ED1FAD30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369460Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:54.373{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-16050-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323072Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:58.791{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A2CB1937965AA217767535EFBD3061,SHA256=DAF27F0807CD9B759C0895511BE33685E0A020266C90F932AA050E5D707C9E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369463Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:58.250{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A75379335D90FB15CB0AD591BC4D00,SHA256=AA2494E8634582A0E94349D4F94F272C9947011B43D234BC8A3C80486E59BAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323073Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:00:59.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145A0D55971614B141A6C01C73EB4AF3,SHA256=53571C498E4892D97CA04DAD44B6E59DC0F11FE429A2D38EE44B772FCDA0B7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369467Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:59.938{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=565C5CCF8662C407319E2F9C1FC23F4A,SHA256=E3FBE6FE7CBD439A9BB3FC97168724553B2D85ED579E7888D6CE2C100EFE8EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369466Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:59.250{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732AA7B058F0427A03AA5B53C9F87757,SHA256=FA4F138EFAB25630C9025AB6BA6433BF61EB44B0972E54F7C19F70E5E2A6E39A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369465Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:56.425{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-23934-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000369464Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:56.225{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323074Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:00.853{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290627B79053166AE5A0410B243EC7E1,SHA256=8D4B0275DE7F327ABD116CC74EC439C15DE871121453178184E2FEB616EDC83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369468Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:00.251{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6131905FA27956348DF4453C86B7F2,SHA256=64434D9C83DFF3379A7F58003BC3E3B40E30D9F02D55E4FF2337BF8C79C4036A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323075Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:01.853{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D6682678C9754AD4659478A00E983F,SHA256=FB576E1A13B583BAC81A1A983CBEE454AC3600C7C83378C68CC3F07946A10ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369469Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:01.266{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3FEFC5E8C4254A12C921C0A6E82FEF,SHA256=89F7F784E82816DC7BFA3BC56FC9C0B59B3AB740FBA39FAB951A4C1CE1E0D68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323076Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:02.884{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE888D49B2D569F1068DCF91CD851A78,SHA256=333DFFD2DF6ACB3F35CE8831CE4CC928AEB2959C1A605D77F5B1CE37A2D366CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369472Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.313{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B96261993B7D5563CAF8921E2163E2,SHA256=50EF05E933C598DB4A76C51E4B3F47CA8959B0F19226109311FE655F12302048,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369471Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:00:59.546{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-33587-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369470Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.188{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96462121218A1B0C59274F7C31505DAF,SHA256=1E99FA69803F73A30270BDBD574761C105CAA4525CE10E4D085101986DEAE295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323078Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:03.931{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A44C96DE0A03C8533C253BD54280F05,SHA256=3922D87A42084E49D160BADF304AA1A75EDA6951EB4369383B39DE02170B6809,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369474Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:01.242{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369473Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:03.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE8570C2BAC4C24CCB1A945FB14C1FE,SHA256=410A486D83C31C9D5FC2CB73B62CB04A823BE1C64F3248DB0BA93C9C0C9F47AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323077Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:01.605{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49949-false10.0.1.12-8000- 23542300x8000000000000000323079Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:04.947{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF18F4D975C0E45A1E75023BEDDEBE6,SHA256=932B70275B5C83FABCC3B391731DE7C0525E00560D5FD75CCBACE156CCC94F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369484Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.564{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B6FB376ACF2651505926963C6B10109,SHA256=0B892B85964A80D50F44CCC6A16DADA91C455C6FE2752F4943D5AD5465CA35B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369483Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369482Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369481Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369480Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369479Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369478Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369477Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.485{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369476Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.486{27B459FE-5EE0-619F-4901-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369475Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:04.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45199B766DAF6B611EDE4AAC8425E907,SHA256=091D8DC5539F46213803DB0EE8E3283E25A7C1CC374A04607D7C39E47FFAECA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323080Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:05.978{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB371EF3ACDE6E00F2EFD94B01B90E1A,SHA256=8EA19B4D7251D10E79CE5589973578E50B2C7CF4154ED766B75E3A680D281CB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369497Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.751{27B459FE-5EE1-619F-4A01-000000000F02}54045480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369496Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369495Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369494Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369493Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369492Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369491Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369490Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.438{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369489Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.440{27B459FE-5EE1-619F-4A01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369488Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.392{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8311CEBF19FD1C71CAF1315B81AB7CAB,SHA256=D331C97522F0D0125B44ADE2888DA7F76D3C3431570007C0E74D2E1EA09AAD53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369487Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.586{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58840-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000369486Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:02.586{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58840-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000369485Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:01.566{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40717-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323081Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:06.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19B97C0527BBE4D8A914037BF736996,SHA256=8BEF0C10BC246EDF21E37ED1B5F0901D3D21FE221BA83B2B8C29831F522EDD6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369519Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.985{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369518Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.985{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369517Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.579{27B459FE-5EE2-619F-4D01-000000000F02}51765620C:\Windows\system32\conhost.exe{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369516Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.532{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369515Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369514Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369513Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369512Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369511Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5C05-619F-B200-000000000F02}47484988C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 10341000x8000000000000000369510Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.501{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369509Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.499{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000369508Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369507Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369506Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369505Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369504Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369503Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369502Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369501Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.470{27B459FE-5EE2-619F-4B01-000000000F02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369500Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.438{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4FAD6B5177B19571D53FE813DFD2834,SHA256=EB836643D231C4895D038000BA788889643E9DFD85C9FDEBAEA6B5BFC2567770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369499Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:06.392{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5FC35663201817E924576885026541,SHA256=89E9897AC44B9594339161E81560046189015AEF2803489F861470CCB0FD23D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369498Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:03.917{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-49478-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369534Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.735{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F495023C71F8611F05D7B9BF02116C,SHA256=3E2C9436CAB6E8A02620C2E3F1F51CBAD791CC71A84D3129CD6255750602245D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369533Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.735{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B00A61B045ADCED6A004C820A2A913C,SHA256=FD66B452225BC49B65355DD00446E80C11A03BEB8D2695C21698B5F95C49BCB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369532Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.048{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369531Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.048{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369530Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.048{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369529Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.032{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369528Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.032{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369527Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369526Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369525Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369524Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369523Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369522Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369521Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369520Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.001{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369545Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.860{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA249EAE099DC7A8322769F3AF9F805F,SHA256=EB5F9C699893B9ADF6A4654F58EEDC2C5404AB4EA2E090F3567A3C6E3F067C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323082Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:08.025{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7AFA66D7FE43D7A00C1C72DAC508C1,SHA256=CE20E4C31BA8BC20223C66AB350D5166919AD37B8EBE4C068945FBA2B6DCF7B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369544Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.845{27B459FE-5EE4-619F-4E01-000000000F02}34765408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369543Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369542Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369541Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369540Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369539Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369538Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369537Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.548{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369536Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:08.549{27B459FE-5EE4-619F-4E01-000000000F02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369535Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:05.871{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-56603-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369556Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.876{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C4BC649804857C208E93A8576A53FC,SHA256=82432332B359354E067E13D473474872C67844DBBFE3692D1186B00C58C74EFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323084Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:06.715{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49950-false10.0.1.12-8000- 23542300x8000000000000000323083Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:09.040{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D6608D29639B2D053FEF1BE15ED921,SHA256=6531EFA95E4A09FC232938B0233FD179272949D82EC0F64F0783DF9C116B4D68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369555Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.392{27B459FE-5EE5-619F-4F01-000000000F02}55725536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369554Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BE4F6CAC802EEFA66432B26FC4A2494,SHA256=D9B56BA393FE9B8C4FF47E83E2FE41758AADF7CA4A38BF9BDF76023593B1E8ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369553Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369552Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369551Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369550Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369549Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369548Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369547Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.048{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369546Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.049{27B459FE-5EE5-619F-4F01-000000000F02}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323085Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:10.072{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90458DB34273558718930EB74C3DE2CF,SHA256=E0E8393449C69C289CD49DEB15EB183F18C30AEFF99A332E268557C454A788CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369574Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.298{27B459FE-5EE6-619F-5001-000000000F02}59086004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369573Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5EE2-619F-4D01-000000000F02}51765620C:\Windows\system32\conhost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369572Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369571Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369570Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369569Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369568Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369567Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.251{27B459FE-5EE2-619F-4C01-000000000F02}55965504C:\Windows\system32\cmd.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369566Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.252{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x8000000000000000369565Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:07.180{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000369564Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369563Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369562Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369561Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369560Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369559Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369558Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.079{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369557Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:10.080{27B459FE-5EE6-619F-5001-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369585Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.861{27B459FE-5AC5-619F-1600-000000000F02}12882092C:\Windows\System32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369584Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.861{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369583Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.845{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369582Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.845{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000369581Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:01:11.657{27B459FE-5EE6-619F-5101-000000000F02}5912\PSHost.132823080702529545.5912.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000369580Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.642{27B459FE-5EE6-619F-5101-000000000F02}5912ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_srgrahq5.bui.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369579Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.642{27B459FE-5EE6-619F-5101-000000000F02}5912ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aogicgwf.hjw.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369578Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.486{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aogicgwf.hjw.ps12021-11-25 10:01:11.486 10341000x8000000000000000369577Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369576Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.079{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2AA89A171049955AD7A0E66EDF28EAE,SHA256=6BFC4C2C642C1CC3DD167F544CFFCE0ECEB3DB036CD5238E3217189EF55D7614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369575Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:11.017{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E74C683493FD04E58980D5F4032409B,SHA256=A8A56BFDFFFCD557601233598540254BC6FD9CD56D8027A8C36254E06B23069C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323086Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:11.087{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B98EBE8F5D446781ED66EECA0D8835B,SHA256=BED04F4B88B6D47FC1549D50B63968AF132ABFB8B9415C0EDCC25EF3364D244C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323087Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:12.119{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C4D3ECE4A855BABE3E27F3901411C9,SHA256=DA3D2B77A954E84FEECC988C15487EA25F3271126571161F5C4CCABCE3F00C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369597Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C87657FB422F64B55CC701938ECFCAF,SHA256=FED5EA0D71D7616A148F81A33496D6D1F5A2DDC8596B5388868AB468CCA86FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369596Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.424{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=265F5542F89EFEBA992B64CDAB7A3A0C,SHA256=17319B857FA342DC5C4C1789783D91AED119E9C1B8ADC4D822222D6BA535FDC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369595Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:09.100{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-8254-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369594Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369593Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369592Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369591Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369590Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369589Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369588Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369587Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.096{27B459FE-5EE8-619F-5201-000000000F02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369586Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.032{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54593E067AB0D7F4C0F7C0B6C0FFA81,SHA256=E38EC978CF21E62C82738FF6C987F6E77F2368E8334484E0DF2DD1375C5D6BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323088Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:13.119{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9224510A719861E531E72A04E549547,SHA256=574EC46098EA1A66F4C2C63970BDAA7FD067A5D82DB68D1225CF22453CC5E6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369598Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:13.032{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435CC24B5EE801CEDE9588604A7C7F08,SHA256=A9EA57BE032058FE45B120EA6F7776C2310167996E61C2F5DB73E5D6270F7757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369603Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56B74EFFF1DF09A6E2418BB7F7C19890,SHA256=21C0479AA63D3B961BEA368DC4AA304657168B821B9B34068FBBE56BA457187F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000369602Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.689{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt2021-11-25 10:01:14.689 23542300x8000000000000000369601Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.611{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369600Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.048{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8F1781370E9DBE53E5546A16CF4FFF8,SHA256=D55BF56E2B9E1B901A58F05E91ADE944E980BFE79272EC24754D3F94E563D98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369599Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.032{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0954DCDC499B08122205EBCDF63F1AD,SHA256=EFD21F0A97564CE5A60DFAAEA365D0D90BD9CD4377BB548589A067700797A36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323090Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:12.668{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49951-false10.0.1.12-8000- 23542300x8000000000000000323089Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:14.134{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550A3A8AF41677C949604C27757BB252,SHA256=0FF94D5CB58595D0F110CB2A6E6EDFFBB0EA5FB6A1B58E62FA1B4AA6F1FDF128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369609Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.767{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C820CAB07DEC62B35BDBB5C9E2352346,SHA256=1066D482F647BF8B1E8933B8D500D4FFCA16C810F0203504BBBF5946D4009FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369608Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.751{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42D718AB4B006A5CC4306656DA6B0493,SHA256=8F52D2A5BE556187445FF4571C2C6E4E63AE857E211F7686BB4D17BC21D9D736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369607Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.361{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EBC3C875D2288C2FDEA0BE96B64925D1,SHA256=0069783BFECCD19AA9AE98E219CB65FFA675B1A1B17546FF2B42DCBBE01CB9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369606Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.346{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3009FBC1010DDE6ABD90EA83682B3BD4,SHA256=CF0E44F68D44686334C6B83F23AF9497958A350033CB7DBC338B4CDE2A0F918C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369605Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:15.331{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC505133D657C5D117A774A33B8BD16,SHA256=68C5F40F629C5D7E978371222ECD233E450D09B03766496CF8EE8F3E8A40C763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369604Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.085{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-18779-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323091Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:15.134{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460B7ACE8DF19003CA75DBBB372C804A,SHA256=7F1D6E2B388D51B3C88391F0C495C74B558FAAFD946C00F55C3F619544906AF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369612Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:13.633{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000369611Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:12.289{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369610Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:16.251{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DA87E7468EA26AFD6BD3F818B1A31,SHA256=11337CC44E06DD7D75ADBEA2216361142834CB257D0715B72564877B4609E567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323092Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:16.134{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242EE26473AFE68EBCBA6468BAF98AE4,SHA256=73CB10203EF462D3D2834585A1D96446936991E99C0BD41BAE0D81FE16A531F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323093Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:17.166{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D571F0F8C5D3AC765F6E4AFD7A8E5AB8,SHA256=8CFA36DCE9AC786FBE04123445E40A1F70C41C28B926F5D79AEEB12F93CD7557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369616Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.875{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=208A3C787A4809DAD1106EB273B3585C,SHA256=1D518A9E18F44D0606216D952D4DB9F7AB6BEA301A7ACDD032875473CCD6FC71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369615Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:14.560{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-25505-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369614Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5976F0B7FE4B8E8D2B6FF1458F806B4C,SHA256=C742EFA68F058BDA350A8D21D944AE4D292069DC891C8FA415540285285558DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369613Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.099{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-016MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323094Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:18.197{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A62006BA7F48CD0C781BD539C65CF30,SHA256=69E43402849A79E214C9A1C835F6B9D29A289179BBAD84B37E50AFF7B6875186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369618Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:18.280{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D976B003AD1E1116117C6A8520BDC3E,SHA256=0EA9FB274B8E04EB0BBF8265B4FC699F0234BB40141A0989E5EC2E3A5A2A9A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369617Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:18.110{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369619Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:19.283{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F5E3E992B27D59E75023F574A692E5,SHA256=F869A430F50D9C9241A1670ACA6EB383F9E41378607DA3BF96F23C18E949FFE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323096Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:17.811{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49952-false10.0.1.12-8000- 23542300x8000000000000000323095Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:19.212{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CF848B41878D209A5AF651FC27CAAA,SHA256=85ECD2B8FD2303C6619A4D0DFAF171E645D6CA643A8EE0A7F6F9F2086467AD1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369622Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:17.198{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-33051-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369621Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:20.312{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF13F57EFB3845BC393C64E7600833C,SHA256=BA2D4CF77B0C6500339E7773BB8E1B46F5855349E8470134B009BBFC6FBFED58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323097Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:20.242{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A69E6B3C0ED25A1F10304D362334C4D,SHA256=8BB8721FAC6F056B609EA36466B15E8CA1959132FEF7C4870AB5E3722906E7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369620Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:20.015{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82DD92457B5F426F9C886ABD4865A247,SHA256=2570BC155AAB00BF7EAA68CB0E1926C7B5AC09D0818DED7C6F313EA004F3E930,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369625Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:18.133{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369624Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:21.328{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFCE6E2E3FDE69355A1DEDC31C5605B,SHA256=92EA8873696FB7EA2438589B4CFC710FE8258DD40E56BA4BA8E9C7F6143C8CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323098Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:21.242{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847C0ECB0A9630FDE2347E4E1AE9BB64,SHA256=1FE88E1110BAA22FFBFC0C6B1079FD3D5C4B96DF2FBF33E4FBCE341B8CFEBE68,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000369623Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:01:21.281{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x65d22454) 23542300x8000000000000000369628Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:22.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6110A76ACA910EE837AB712095C3E365,SHA256=09D159090B19F44ACAA5B378D22624DCF11704589B61593CF6E7BB7A4EDC7531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323099Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:22.258{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E595EE4ACF94E75222074ECC71C2D1,SHA256=A72734713F6DB3C562323C2319E9320CAC1C24CB7B552AE72D5DDDC781962040,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369627Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:19.370{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40254-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369626Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:22.312{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0622D5DD54DF82AE8CAE1DDD2DAFD27,SHA256=66E875B0C7E4529163D2C55858BC39D0399ED2FBA45F486425539268A454070A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369629Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:23.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F13A2242CF2CB9C7BEC1964C050EA1,SHA256=8D424008361024F24CBC82C87576E14FD176C40E01D8DFA9F15702980B55826C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323100Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:23.289{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B87ABCFEA63080CFA2DE96497AB37B,SHA256=290227BE1E31BCE52A1961DC8B16F575A07DBFD1C5957684F902A49EA4A8FCEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369632Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:24.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D59147A60871484ECCC2AC4AC2D5E4,SHA256=236751D7ABDAE017794C9399C2CE063AC554AAAFC344CFBBE690DF1D9C20B6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369631Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:24.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489D1F76AC04574D0B02643585F16FB5,SHA256=894973B7940C25534E94DE22576731D2328E92A03F6378CC5A38E78658D4E354,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369630Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:21.620{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-48457-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323101Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:24.289{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A65737931CE38593953D311C7101854,SHA256=511204855CFBDCCC5604D7D8A89A3C1DF6149FFC79E6A6E60195A93B05F8D015,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369634Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:23.209{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369633Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:25.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C1D99C31045C3FA90A141B3DFC6F3C,SHA256=EA5D6B1F07487A3757EC1D0987B1C898AC40A9B2EE030D494858B6491541B69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323103Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:25.289{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC160B5630AD2133BD04BFF292E1A9E,SHA256=79151AC307C334FB643126C3B97859B473B7242D9A08A0FBF09DA82B766E681D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323102Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:22.868{99D2EDAA-5AC0-619F-0F00-000000001002}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-54129-false10.0.1.15win-host-61.attackrange.local3389ms-wbt-server 23542300x8000000000000000323105Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:26.305{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5780A21B602C2B91F087538F2B856575,SHA256=B3355B35FD72802C7114A950327D2C42F0FECA10458968050195BAB0B9103450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369636Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:24.110{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-57117-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369635Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:26.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601352696985A1EDD1E4447EDB48DF16,SHA256=C4E6AE75A8260C3B20851632755B7AC40427A91453E20201E0256AF4CF67C096,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323104Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:23.713{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49953-false10.0.1.12-8000- 23542300x8000000000000000369638Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:27.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5275C82D3E17EFD4E987E6DD840CF584,SHA256=5FCFCF6B8B58F86DA3B3830FCED4D4FDDD421FF28DA3F75FB95F06B23F196807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323106Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:27.305{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABA2FB01A6996ACFA48BA8BA53F7AE4,SHA256=6259AFB542C093345FF51678F7C409F940DF25106C29CFFD4AB6D7A17F1CF696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369637Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:27.000{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=314D03E2E53F6FBC0BB2687D2C1D463A,SHA256=1E4A89104E5B034B8A8323D97C95ABB52FAC989C33D4160C99EB00C480CED7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323107Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:28.321{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C419C226B33EABC8B5FC3312C1C4EC3,SHA256=A5B9AA6994B02A4AFFB406C349C33CA548B295F85943A4067CE23E0ABB4084AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369639Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:28.437{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E5D151A93ABF02319AA0EC9F6C0BD4,SHA256=405BD9CBD16AC7F6A46F578DE86952014C20A512FDB1ACFF26D9BBCE778E6B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323109Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.383{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=35878E77E1AEE029651D66E36B8E9189,SHA256=72378A4965BD5FED4CC7BAB2C6470F124B534FFFFADDD2E2FEC4500F35AF2FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369642Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:29.437{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CCF19FFB72E3EB89182E66105BA9D2,SHA256=CDDDEBDDC9BDFCC6A73F711E86B02108B20602975EB94BA72472FF806F37AAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323108Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.321{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EEFECAF61B78D0A51828EB4A0E3DE9,SHA256=B434331AD7894A6660A5AE2AB8BA39356898D59C23AEC41D808243A62C7FD955,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369641Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:26.165{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6147-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369640Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:29.141{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2306C0DFA30D689EB97996384C1C218B,SHA256=D6FF51F063A75FFFA13F8AFE5960F582DEEC6E85C67F7930CB02167E6888FE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323111Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:30.352{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CA423B7ACCB55E3F17327DB8A8F20A,SHA256=8422BAE1B203BFEE07D490C66AF3001144F119FE6CBF86CEB5A1CFAF3F872148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369645Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:30.922{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55015210B21C7DBFCA77C3D3FB9A34E4,SHA256=4C6E99A329249877B3B2ADC01AFAD69CBEE530319BB04BF1D33B7BD8CC2C203E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369644Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:30.437{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772368FF548B1B6864DAA06951009D7E,SHA256=91083C1CA0AF16C9B7D319969BBBDD5A595393010BC7A8534E8120910AED87E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323110Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:30.196{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369643Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:28.225{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000369652Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.766{27B459FE-5EFB-619F-5301-000000000F02}59443476C:\Windows\system32\wbem\wmiprvse.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\combase.dll+251d2|C:\Windows\System32\combase.dll+25afe|C:\Windows\System32\combase.dll+258bf|C:\Windows\System32\combase.dll+593b8|C:\Windows\System32\combase.dll+58fd0|C:\Windows\System32\combase.dll+65dd4|C:\Windows\System32\combase.dll+c2904|C:\Windows\System32\combase.dll+63051|C:\Windows\System32\combase.dll+64850|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369651Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.594{27B459FE-5AC5-619F-1600-000000000F02}12885136C:\Windows\System32\svchost.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369650Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.563{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369649Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.547{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369648Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.547{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369647Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:31.453{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96859032F6D1971C29C4ACD4CAE4D92B,SHA256=ED2F6FE44EF3F2847176F320CE8CA96E3986151961D9D348601AED72C6655615,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323114Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.729{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49954-false10.0.1.12-8000- 354300x8000000000000000323113Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:29.729{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49955-false10.0.1.12-8089- 23542300x8000000000000000323112Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:31.352{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C9AEE61F9BEC84C44788B33CD8FDD6,SHA256=E78560238D7FAE3E5D4CEF0C2EAE2F440B12F3245E588E859DB9C365147B10EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369646Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:28.343{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-13791-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369654Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:32.578{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCB198B9FB35E9018BCC6571D797DD5D,SHA256=884C39182DE3A6BE34D6343AEA1B81726BB6BDB7B3D116A1CBA67CCDFBA89FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369653Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:32.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33ADFD22B1199B64899C72B31B1F043,SHA256=BD21DEF21F2FA564EBB6AD372E575F6FC5DAA8694BEFBE2EA9A9ABB453EFD6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323115Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:32.367{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD7FC78F3B1D1A03A2D1591BB112861,SHA256=675366F82DDE392E53BC6419292AB928D9BE4E1C9B20DF7BEB65FF9D4F21A19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323116Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:33.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0E45AA642CEE97F5A66F386AFB99EF,SHA256=040E07D2DC72C05DDE191DFE32890AD6F0169658A608A3FE76DB020223782618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369657Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:33.500{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C0BB65A76794E28DA12F8A54F89D52,SHA256=830C7BB3F978A3DD4578EFE0AABCEE604AC5AD888801ECC10FC79E5F3FEDFF97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369656Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:30.718{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-22449-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369655Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:33.000{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5C04-619F-A900-000000000F02}4220C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323117Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:34.414{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2DA14CB229B3E4F40F89004630B5BF,SHA256=57F63117F135BFB6304875C6D43095EC0E3A62D3300B1F4F031EB93C1443E04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369663Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893B81E8415532560D4F9469A596D1BB,SHA256=016BA9421A782A97227E468B9CBDBBD388CA94EBDADCB971664444EBFB3887BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369662Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.547{27B459FE-5EBE-619F-4601-000000000F02}6136NT AUTHORITY\SYSTEMC:\Windows\System32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=0E932D44F53440D94EC8E068B5F17C4D,SHA256=4A79284976AEE7AE63A2843A3E70C9BCE26FDF387A4328C1150D8BC52025846C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369661Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.500{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F153A21C3247B5CF829118BC7B0FBED,SHA256=0E34A75A409FDCF70549607C1C42E5B3186078C3B22A1D38841D0FA1EB335437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369660Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.391{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6C024A3C0B54C803982445C0E69DCF5C,SHA256=EA4836D9D7FA67CE479AC83F450EA41A8BD97AD9444D0747E26241EF72F19BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369659Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.375{27B459FE-5EBE-619F-4601-000000000F02}6136NT AUTHORITY\SYSTEMC:\Windows\System32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369658Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.375{27B459FE-5EBE-619F-4601-000000000F02}6136NT AUTHORITY\SYSTEMC:\Windows\System32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369664Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:35.516{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B79DB664998406C07A6DAE8D6EAF02C,SHA256=93F0C1FB9D9F52A576A4F69DEBA10E07A2DCDEF78BD496010FB9DEF8D27216DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323118Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:35.414{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7378DD23B3C6ADB1D374E38A1BE3A9A,SHA256=A28EA370295312C66035BEC923609491A023C8E27A30E74E7E5DC8E3818216AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369668Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:36.531{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E642B7953AA1035205E54408681CAAD1,SHA256=BCF5BCCEC7DB3FBD3E14593206F6691830BFE15A65A5855A0EEA3E77A0FFB1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323119Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:36.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137272A34B37C3B672FB068E612683F8,SHA256=8445FD2484648F8E8A00C02ACA28ED4C0E5E98C295344F5F5E380106B6C7C037,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369667Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:34.209{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369666Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:33.900{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-34049-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369665Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:36.328{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6E6B3281AFFD35B3985C4B6DE0FD2AE,SHA256=724C9749614C76A17DC62E6B2353E37ABFB19378156902C9B9D0C4B598CB2868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369669Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:37.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F406998E9F72B84262E949D7AD7B6C7,SHA256=1DF4C60E1011236FB94F7991C44B1B3BC18C200440E44AD1B876328669FE41D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323121Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:37.477{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5D8F1BEB94AA6E2DCBD2CD81AEB95C,SHA256=F0FEC2E3ED4F8C3374C6C2E99580FB08BA3662DE00FA0C96788C452BE4E99894,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323120Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:34.760{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49956-false10.0.1.12-8000- 23542300x8000000000000000369670Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:38.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518893F94567A43C98018393684666D3,SHA256=4B3038A8E4342506B45B86F6AE17597B8C3BFABA435FC38633CCE2DF58838A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323122Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:38.477{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ED2FC06415C5744794AE533C8BB685,SHA256=3B982201DDF61D99EA8057FCFC5877CA1E4AAC33895DDEE120E580086D855C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369673Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:39.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0F988183171982C54B01B508DAD4A0,SHA256=979EEA583707CAF2692AB2D693943CFC77A89C20F2B8F0E01A1F0AC89337B000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369672Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:39.574{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437DF45DCB46F1B502273B804379E99E,SHA256=4570C9C626D1BF5D1417B3FDD258F48966C76B38DEF4361148E4A56C242102A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323123Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:39.520{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFABB36850ED1ABA0D1529B0290685FE,SHA256=47043F7C1236F8E0E9E3AE39F15CF4BB5E13E753120218107F38F1C3A6ECBBE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369671Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:35.777{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40873-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369674Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:40.574{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5B5EF64FD1804D94C3BE187F3640D3,SHA256=A5F6CBEBEB9F19351CA0B164EFF4297C5FBC1244BC216472B9196B726F48EE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323124Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:40.520{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0F6B2DEEE8076733AC60C6C11306F3,SHA256=6B5E9086BEA694040A4C6BD56FD295725BCB87EBA5377608E75A918BA9104866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323125Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:41.520{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F0A2D542DD3A93822E38AAFD5C2F28,SHA256=1BB2B5DB64D08F2A1A3C129852B564B130C7FD1753790DBEC79239170A566887,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369676Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:39.412{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-51976-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369675Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:41.590{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F3C3DCBC6FC811DF68609A9D8EA2FB,SHA256=A7BCE56E8FD11CE6C545D9EBC4D4350937C4ABCFC14D239DC6672C7D0ED532C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323126Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:42.567{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112B196B1A91B8FC5DA53F620C38659D,SHA256=8F9858144003CBF5B40FD642400D16696E7F0C05A930EAA2B4A9C6E89030ADD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369679Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:40.112{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369678Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:42.590{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDFB4D42E9E25F490CBE11DCF5DEB48,SHA256=DFD9F61F0A951B56A0BBAA565F6BD5DDDE191EBB534501638842FEC240F1139D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369677Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:42.106{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19FD62FA0251B49CE39B0F77E598B304,SHA256=7000E1B6FC2C01F99933D193A953158F945E715A69EFE7364C64459ACF1719A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323141Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323140Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323139Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323138Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323137Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323136Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323135Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323134Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323133Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323132Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323131Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323130Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.879{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323129Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.880{99D2EDAA-5F07-619F-1301-000000001002}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323128Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:43.582{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36700DA0F35F299015AEE2A64128085F,SHA256=C8D7347EB1540B46D680D57875379BC54940E3C6BE27B36E8B4913E04CC8CF3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369681Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:41.428{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-59320-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369680Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:43.606{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEAA04306E91391397BB675E61FF74B,SHA256=CCAE6CECD4E15060F2FC9587B6645934E43511F61B3B51584B9C82EC9E864001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323127Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:40.600{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49957-false10.0.1.12-8000- 23542300x8000000000000000369682Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:44.621{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D468305F94350A2472D814B9B3F507E7,SHA256=C1D531F17A86192D50F6A56C78C217F72A5AFF43C45953F7A7BAEFC5D4BE126F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323144Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:44.957{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAB042EB77B1D65760A8ADF246C2C736,SHA256=E59F907CF671695F1E150D29BEACF82DAD5CEA79321BFDD6F585B2C22EE3376D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323143Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:44.957{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7982F50E17DF3A2B520447A73565DB8D,SHA256=2537521CDFC88E195A62E16D16EE4F4A405034EDAC24B73BC70B0BAE4B542B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323142Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:44.598{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A561A3BFEDCAD3774D0896B812D6EB93,SHA256=E26FC49E6F737B35341B5F7F1A7C60D14B3E4C26C149FE51DB6081B9CE2946D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369684Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:45.684{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8923AD4D19E633CAB0C8F147895C72D,SHA256=2EFB9E3E34B61C74A1EDA561B7DEAD4D1D34E1C15BE428EAAFD9766127AD82E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323159Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.613{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD906737C510CBF52F0F18898711744A,SHA256=A2458426567E9FD46B2607A2D6E9A44385C2075112F6DD99CBD34528987C6BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369683Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:45.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D93C985D7B5A5A9260019D59BB5C052,SHA256=2A2596A6EE7F11F985FCAB75B56697E826AC33CE8B3AD61D628A4C328ABC0A6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323158Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.192{99D2EDAA-5F09-619F-1401-000000001002}40081116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323157Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323156Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323155Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323154Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323153Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323152Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323151Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323150Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323149Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323148Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323147Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323146Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323145Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:45.020{99D2EDAA-5F09-619F-1401-000000001002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369685Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:46.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97055D7CF5ED97E2A14BC49F74947DB9,SHA256=5DC894675E635589601E87DA69D01AE1CB2F7DE52BC69BD5C4C333FF92D2E9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323174Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.613{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D347AD04F9F4813558E23E68CF75641,SHA256=6F262967BCB32F1ACF180E96CD10E9153CAEA223815311D5578EDC5E7BBE6DC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323173Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323172Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323171Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323170Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323169Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323168Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323167Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323166Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323165Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323164Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323163Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323162Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.067{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323161Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.068{99D2EDAA-5F0A-619F-1501-000000001002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323160Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.035{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAB042EB77B1D65760A8ADF246C2C736,SHA256=E59F907CF671695F1E150D29BEACF82DAD5CEA79321BFDD6F585B2C22EE3376D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323191Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.770{99D2EDAA-5F0B-619F-1601-000000001002}30922788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323190Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.613{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AA0EC6A0FB05B731168D7315FC571C,SHA256=060F796DD07CB0A2030D5A9241928D9FD1CF9B4871F467ED882A07C7B7848A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369686Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:47.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AECD8702659D5C14C05F87231E30CB,SHA256=19B08D0C9C1A957FAF781ACF21311C6238F8A6820C03A1185DEDA55F64B5392A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323189Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323188Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323187Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323186Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323185Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323184Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323183Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323182Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323181Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323180Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323179Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323178Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323177Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.567{99D2EDAA-5F0B-619F-1601-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000323176Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:01:47.488{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0x75711739) 23542300x8000000000000000323175Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:47.270{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D849707E52FAD3AC51DF417E75BBEF63,SHA256=11601D5C3D70B9F96DC8A120B7E8A520FD468E75BF74A3C1EDA72CD34EE4457B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369695Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:45.159{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000323208Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.800{99D2EDAA-5F0C-619F-1701-000000001002}33283636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369694Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C6828C35996D56F9CA8FD64A88050D,SHA256=0F08B538F843C88C8EF990EB8A44B41D8F8C04BFCC3391E8A29FE9F6C4A91EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323207Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.660{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA89F0F7C1EF4874C423D375454DF8EC,SHA256=D48278E514840A58580CDCB50C83073E27BCF038344E0AFF66FACCBDBAB44072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323206Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323205Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323204Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323203Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323202Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323201Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323200Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323199Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323198Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323197Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323196Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323195Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.644{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323194Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.645{99D2EDAA-5F0C-619F-1701-000000001002}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369693Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47482232C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323193Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:48.597{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E1819BD9F3A9A5A80BFA596F1ED148,SHA256=ED9B81FB9266EC725977330B14E689DDA69291116B797873CBFB3158EBFB13E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323192Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:46.600{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49958-false10.0.1.12-8000- 10341000x8000000000000000369692Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47482232C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369691Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47482232C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369690Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369689Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369688Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369687Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:48.684{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323224Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.690{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF039873CBC19596DC35AC88A445BAEC,SHA256=4D8A2AA19A5953FAFF924D0AD7352B6117A843B769D219F1937EF46AF8806900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323223Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.690{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6CC7147E319AD6C2E4644A430AB41AF,SHA256=6F24881CE537B086957FA815AEA5CEFE38382C0D04B35838FE42C23AB4EDC519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369697Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:49.793{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=332A96E686608C534BE375C5D2092BCC,SHA256=072B6590FA3E0D8A8EE675861284191E192793CD9DB2318CA177434BF64B1EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369696Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:49.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6894A3F64E40CCCC43E5AFA06FAC6614,SHA256=91578CAD3386061D10F33C913DC059CF6961E4B0600C9E080970BAC00A6FF67D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323222Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.581{99D2EDAA-5F0D-619F-1801-000000001002}923528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323221Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323220Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323219Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323218Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323217Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323216Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323215Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323214Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323213Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323212Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323211Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323210Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.394{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323209Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:49.395{99D2EDAA-5F0D-619F-1801-000000001002}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369699Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:46.706{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-10420-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369698Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:50.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529F457C2D31282FBF4E09ED85D19401,SHA256=662E303CF19280FFA2C2C5A93F55E2FCB3780B69B47460A5709F6AFDE8A30D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323238Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.721{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEC60C169BB6FEC7EB8CA797D0A4389,SHA256=4B5131BA85F1D57FEEDCE58BE9D45E15DC318CAA23AD5AF222BD0C955588CEFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323237Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323236Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323235Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323234Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323233Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323232Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323231Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323230Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323229Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323228Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323227Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323226Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.690{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323225Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:50.691{99D2EDAA-5F0E-619F-1901-000000001002}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323240Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:51.736{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860F5E70D1E165CBBA522B27874CC141,SHA256=D3B12D97E26ED80E44B36B96351401618F7480ED9C6DA6822BB0F4C64B49020F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369700Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:51.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024AF5B461A9E9360B7DB90AF16FE197,SHA256=B0FB0375FDA6FEBF65235D3E8636290164D80E832305FEB364A06377DED13E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323239Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:51.689{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7006B08C7F49031727CE01712C82A58,SHA256=F4945562EFA70260F82C6CB1633E46F120AAAD7FEEB03EF36F98FABAFD32BEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323241Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:52.751{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FE1EB138335E255A5A65AD00DD88D8,SHA256=0E4362B717C4E3A4B0EBA09D14C8820BE3B08D9325FA85251538372E0721C359,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369702Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:50.452{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-18939-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369701Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:52.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE7D022247899BF6E228F3FEBF40344,SHA256=C2F38100516B7F86D12D573A6E6FEC5FEABCF639EF0D0DA0188D57E127842233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323242Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:53.782{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79C2D515CE1D1E446E746AA1D077C04,SHA256=963974073B6F73010E355E9E16A15EC2A5D584AD729F448CDCEA747E7D9AF0FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369707Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:51.080{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369706Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CF530C39BD9B71078F1A4382E0DEA1,SHA256=544DBD1FF6F383823AE20C4CD12196687DE43D023C7F4EAC22FC725CFC224734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369705Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.356{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A9EA497967AA38042E41EACD68B22851,SHA256=466068DACA7BA478D6628F2385A49B7C2367412FE0B482144B7E04ABABC3A3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369704Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.356{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C3EB7656A59093CD9A4F1DB2FDF8590,SHA256=2D4BD16108169ADC4FF0C6648744897E5904875EC8D4F227E8BC5F2393AE04F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369703Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:53.231{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84FBB0CBE0E8A55F3C2CD454655445FC,SHA256=21B30A259EE6DE1AD6027319E2EE90FE11243B0F20D3D780805DB7A0279A0891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369708Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:54.747{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACEB30F106DD0E593061067A259242C,SHA256=B3F8752FAA6EEA850CB9F98E995E9F4924F9B0EA2A35882C3A622D70D183A3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323244Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:54.781{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6C2C691B9360B116B30F662D1EBD55,SHA256=93998B0AC757E90E7A115C68560CA56E2A5425E6B2C22DAFF1AD03FB32282093,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323243Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:51.803{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49959-false10.0.1.12-8000- 23542300x8000000000000000369711Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:55.778{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7501DE23F57A04CD6BF40513BA6CEC3,SHA256=5928366C65DA892ED0B8D1FC52CD0AA50BDBC702166DBBC7D37ADD78862B96EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323245Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:55.781{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F1F17AE135F4990DA6756ED8BEAE86,SHA256=9370F2408D9EFB08ECB49B76A2AEF82C2CC0CDF6261F892847132E472404ECFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369710Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:52.582{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-27341-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369709Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:55.403{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C46FF909A08F96C5115C8CC7F014DE0,SHA256=B5D65C8FD23AA144175D7B49CC1E8771BD7FCDE8D321B6134EEDD00C222A1195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369713Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:56.778{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201E76D3CBDC95C2A46A866EAD1F2E05,SHA256=137D11CE895ABC0BB0C162F888442AAC07C2DB25BC7BFB45BAD55BAA017FF436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323246Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:56.781{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA93F4C566C23567E93EF585D6330E0,SHA256=9C573F46F24F3C97A25940AC8CAB2F0E93F393ED3D667FCACF893382C17588E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369712Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:54.682{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-35391-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369715Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:57.950{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=422691E612A0780886D987D8D8DE023A,SHA256=7053F44AD7E0B26C9B60C30CBDAF45E641757DC70BA52AD2D92BB3FF27500CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369714Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:57.887{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580DA5AABB29FAB0EC23A0C429DA37B1,SHA256=79B55AF8391F3A4831448F8F209480670E257D89E04264C6FC4FCB59C6B26E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323247Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:57.780{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8E896236162416D88489CE3AD45702,SHA256=BB69B703D8CDAA27B382FC16313BD7231D4FE2CF7281456B538DA32C979CCE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369717Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:58.887{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF76E402B318F9BDFBB7AAF129313C1C,SHA256=536A2FCDDA32FC43323DD0297D09435887F9B44E65783B34DEC19FA2CA03806C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323249Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:58.780{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F37628411EFA93B85CCF5DDD3FA21F,SHA256=086AFD77FB57BB87B5BC2C9DBA40D2EFC3617F1B2D5FC887D0E9FC6C2515B5A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369716Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:56.112{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323248Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:58.519{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-017MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369719Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:59.889{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CF275269DA706F70C412CF796C23FE,SHA256=5CD01EA035821F268AC58C59114E30D7E5F9CCC87FEDA1D5FFA49247B5EDCA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323252Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:59.795{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6BA3058BEEF5E19CF30D63D1C6E2E,SHA256=79E3E9B0B7CEA02939A140A24DBB5B0E693960732765954E61F777DF9FA49C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369718Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:01:57.424{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-44862-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323251Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:59.532{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323250Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:01:57.618{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49960-false10.0.1.12-8000- 23542300x8000000000000000369721Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:00.920{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083553AB1A65720D4EC5445DB7F195A8,SHA256=270488C5B559ED07FE9CAF5771B0A1584815B57C95F4A9E84E9137861539FCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323253Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:00.828{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1A4EBD129AE0D0AB574DBD2EC56677,SHA256=0E82F7DED774806B6B0A2C62CD06BC0F4403DC64AF37FE7C15D6109CBB0FCA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369720Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:00.342{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFC420DF110CCDABDC0B9978BF83E24A,SHA256=561B93DC5F85FD4A47EAC12E1CB532A567CB7A73C349A36C84368692475115D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369722Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:01.936{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DE12A12899E2354361364CC7DD1F27,SHA256=E54533719E3D0D146302E5E072434EAAE9AC35F98B41D5CC95DC0C1F196E73D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323254Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:01.843{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC781DBC435C15BC11CCB80EE6F6D10,SHA256=ABBA0ACC1A090551954C9651DECEE985F100084AD29980146963D8126D9EA266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369730Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.936{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493C07C5313D68BA35250522BD0E879E,SHA256=FA12021CCB90F06438A0DC99540D3DBD8B2CA30FB2A4F9D957E1427AC1D4D7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323255Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:02.843{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF650CCA78D037AF0406DFEA01AFC3E,SHA256=9E8E53F9E74D1036E6DF0D4C8266D88C311A0D850C1EE9E8FFC01FF3895F098C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369729Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.717{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369728Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.717{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369727Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.717{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369726Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369725Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369724Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369723Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.701{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369733Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:03.951{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D620F351205CAB282F28405DA855B5A,SHA256=4887EA3BB72A856D24DE5718135BB0FF60EA87581ECF9C3C4350F37F07CF208A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323256Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:03.842{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77FF709B83C43BF56BFDF626DA3AD91,SHA256=32C6AEDCDEE99BF54F341566043275F62504D73E2EE8EF0D9F7666D353299F3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369732Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:01.301{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369731Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:00.901{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-54007-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323258Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:04.842{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF29CB48F5958D3BCFD93BC5AADE666,SHA256=9024283D7043AD7C3009C955400389870FEAF965A38C0C998645B725E10D25F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369745Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.952{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A10736AC7E1276F2DD1AB4DD652B50,SHA256=6F3E400E24867560319A153D72E51C2F6AD928C6C4F9373A15C4C65BCF12FF5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369744Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.598{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58853-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000369743Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:02.598{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58853-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 10341000x8000000000000000369742Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369741Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369740Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369739Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369738Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369737Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369736Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.420{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369735Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.421{27B459FE-5F1C-619F-5401-000000000F02}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369734Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:04.170{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=126F93F1234AFFA147EAF4BC847E6281,SHA256=479DCE45C5749C17DA9CCBF70B2B1B4A7CBA9D6241CE1115D3AB140DB9DF13E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323257Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:02.665{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49961-false10.0.1.12-8000- 23542300x8000000000000000323259Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:05.857{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D03010623FFBB78703D4541310FC943,SHA256=114B348640B705BC4F390888776CE74E0945BD6CA78203265DEDBF898BAD9FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369756Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.967{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A9C860060C87565C790E4749211E76,SHA256=23813CE9DB17D5C2918DC023BE0A0205947A8CA0CD2A66A90A7B2F76DD0A64EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369755Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.655{27B459FE-5F1D-619F-5501-000000000F02}41805588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369754Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369753Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369752Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369751Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369750Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369749Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369748Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369747Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.452{27B459FE-5F1D-619F-5501-000000000F02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369746Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:05.420{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8FBDB00FD239760AAE3C01330CDD0E2,SHA256=26EED488925FE5E952CD90A664435C5BD6DFBC1677628669447CD08F89D82BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369766Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.967{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D761B4CD8395F1825B7DEA5EAA7BBE6,SHA256=2A53DF4F8AF22B8D2E7FDA319BBD896525D00BFD8A91CA6D0F7A68DBACD4EE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323260Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:06.872{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB38EF1B719848AE7394406E478D4664,SHA256=00728F3A97BC5931E6E9FB610618EFE6012384252A4F45EEB40219057C28E72D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369765Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369764Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E634973FB9F386E50F000003BC2AB1AE,SHA256=FB0C45A327769EA6EBEA0D1C1C99D9FB1B5F1908ED92841A58A72CD8F15B60B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369763Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369762Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369761Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369760Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369759Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369758Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.467{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369757Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.468{27B459FE-5F1E-619F-5601-000000000F02}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369769Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:07.967{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01472B5FE9A926D68576EF0C4030A2D8,SHA256=4E0DFF25C10F021CF35BC4AC1BD0195D3637B082AD9224EB3B5C8957B0CFB8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323261Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:07.872{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1C8FDBC69FC46F54FA175AB2EF8CCD,SHA256=B30A87DF6A73D3CBF2EF45BAC9AB750AC24764AB911BB59894EC0EE0380930A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369768Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:07.483{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75A1D8BFE0E20C51F1F580D47CD1999,SHA256=EB7EF7D7125B1809BBF84A430CD480001C41BBA2C4E02F096BDA7E4F00B5F5D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369767Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:03.576{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-3452-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323262Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:08.887{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82122A6A61EF8C17D8AE4C22AEDD87E2,SHA256=36E9C5CCBCF62A7DBE93FDCA5F5AE070AFB792C6136D6BE03501050FE7DA80D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369785Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.905{27B459FE-5F20-619F-5701-000000000F02}47442700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369784Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369783Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369782Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369781Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369780Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369779Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369778Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.670{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369777Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369776Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369775Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369774Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369773Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369772Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369771Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.545{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369770Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.546{27B459FE-5F20-619F-5701-000000000F02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323263Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:09.933{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB4903509B7A1E3513DA4E5C76C7880,SHA256=31F963DE136DE53BA2F549433DC08C012A1CA32810E1A99FA4F0CC1DB5EDF2EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369796Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.327{27B459FE-5F21-619F-5801-000000000F02}35245948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369795Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B47185FA2820A211B379ABECD66765D,SHA256=458C31A8D780B27B2F17F867B1A16B882139E7C8C994DAFA0F4D5D85E2A600AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369794Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369793Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369792Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369791Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369790Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369789Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369788Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.139{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369787Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:09.141{27B459FE-5F21-619F-5801-000000000F02}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369786Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.999{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006E32367857AF6FCADB912AFF751D9C,SHA256=AB265C2598A3F1C75F95EC45489BE42016AC2BF3E78EABFEE6228DCF14D9530F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323265Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:10.949{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A79428C4761C2D8F8BB33ABA953BA4,SHA256=79050C7BD8B2B49B3D875EDEE95EB8CAA1C95A1A9422248A49128318899BACC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369809Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.670{27B459FE-5F22-619F-5901-000000000F02}40645936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369808Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.358{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369807Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369806Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.358{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369805Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369804Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369803Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369802Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.342{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369801Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.093{27B459FE-5F22-619F-5901-000000000F02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369800Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.139{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFEE69262C6AEA0FA520EF325A2843F4,SHA256=46E64D020E2F80233C7F073489151257F0BFC1059EC4A4430E2D332BCFA7DBA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369799Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:07.160{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369798Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:06.341{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-11805-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369797Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.014{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37B3DB24F433D8EFD62E272574BEC5E,SHA256=B37E76816DC5BF4F95D619457256854C631CAB4BF2C18530A8C721A6EB4F8DFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323264Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:07.790{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49962-false10.0.1.12-8000- 23542300x8000000000000000323266Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:11.964{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCD0BBD7C9C8A71B748061E5F131830,SHA256=B4786F925C0BC7D20E3DBB8C99C40F5F29133BCB5B1C31E80C19C1BE793918ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369812Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:11.639{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=704CD5110F0E3BE4F2D6420B92F1EA72,SHA256=04418A6DEF22EBBEA80644A4F9BD723A618C98710AA03B469832070D41B6493E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369811Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:08.472{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20413-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369810Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:11.014{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4291D41814C2D1E76EFE54956F94CFE,SHA256=F466D5DF57FD7B10B20D03FDA912FE950A1AFEA6AC18AC37944103AA9D197390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323267Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:12.995{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD980E1828D2CDBC36483BCC7F6ACF7,SHA256=BB9E93B1A072C63D2442ED435AC07B6FA1598D85404372837C596C7B593A04D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369821Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369820Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369819Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369818Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369817Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369816Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369815Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.217{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369814Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.062{27B459FE-5F24-619F-5A01-000000000F02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369813Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.045{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4402C5DF5EA0BFD0B6119BE5E6D664AD,SHA256=3460446F637F79CBCE10BDE1122BCB07B96D01E5D59A287679884CBE49175359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323268Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:13.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D456229F98F0AEB8323D7B50374B6E,SHA256=29C9343E5A2DA2C19AA23F5667E9E88A11DB3A2504076BC152EE80A6F1D9928B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369823Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.061{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF8C7A71F3758376A0464BE6EC327FB,SHA256=142E9AB765DAE3631B251713DCF18845EE0CD135DA6735DD5CC3441003F3495A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369822Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.061{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8C91AD830DC73853D7CE59892EDBE4,SHA256=BB3D8C05903C87B853515A5A823A7DC76F18651FA244EE2C75BADED2F85739B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323269Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:14.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EC24DD489ED9BD4466A05923DC6E24,SHA256=6B0FE2D0BC86109985546F90AC90ED816527A1342A494C991A3DA581DADD99A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369826Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:14.639{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369825Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:10.901{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-29339-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369824Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:14.061{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553C2BE20F21AC312BB6E1A41AA4A304,SHA256=C5ED4AB5CBA3BCC26E2A368097D0ECBE080E23624745545D1E01E5AECC9ECB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323271Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:15.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AE875F17E41D16FA9CBD07A181A837,SHA256=976589DE0DD35908D33CCF202E5B1DDE5F5CD39DA3A5F603D426BA6934F9A6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369829Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:15.827{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC79F843852774D76C606C525AFD1210,SHA256=84D3F8A80955E61E6DAD31E6BB2F028139BC3DD66E7C146421B54E007D73FFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369828Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:15.077{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EAFF6A38E1FE5E1B624C61FFCE9F84,SHA256=4F39260E1D9F00B8DE2E5127DDFFC121293AEDE7FB854AA9FCC8F86A33170F99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323270Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:13.775{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49963-false10.0.1.12-8000- 354300x8000000000000000369827Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:12.177{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323272Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:16.993{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E90CCAE43CEA43BDC19757394F75D30,SHA256=0605964DD1640512C14876DDBC3BEDB84333A44446CD69E0E4215EF1F94C863F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369832Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:16.296{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3190FE788E63AEB96A54B6C9DA02F9A2,SHA256=F1A97AA6FEB2ED807943561554B2BA347406256A030012F98FA88B704F5929FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369831Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.660{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000369830Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:13.034{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-37990-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323273Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:17.993{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F8927B0EF256EBD033600154C97DA8,SHA256=C65DCB6BB306474BCD91B43FCBD0DF220D2A61F8B9F2F932ADECC32F3F6636DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369833Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:17.296{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828B8F64ADCD602DD6BAC36FA6FC2A02,SHA256=E9E02FFD4F6DE959A298454DF79910A094F0E13DD277F70131FF7CC42B3CE23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323274Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:18.993{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED56614895BFD6BB85D674ADDF00B08,SHA256=C9DF5E04F99651A518827443A851811D0807E286AD470E80F267B947D1707C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369837Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.647{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-017MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369836Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9D1532900D55C83BDDFFBAAC7864580,SHA256=3610C29D837AFE063DE3974C5D3A3DA59D02AAE372FE6B92B70DF66A515213E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369835Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.298{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C37754BD9BA5F43ED5595118B3504,SHA256=2F7031B24BC1AC2685E43BB1A7681319DF64758F3C4E987F943225A3FD660F79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369834Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:15.099{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-45518-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369839Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:19.647{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369838Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:19.324{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A18438C7F6FB56FE4C5E5512380FFE3,SHA256=D25494CB158276B9BDE2F74CD123909B2F2203CE79D68220DDB187DA0970D169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369840Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:20.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8643573C5B52AB46D74D87717242C18E,SHA256=1F5A2EAF483D2597FFC05CC34971DD9B1E22BB470007326093F90AD391A721D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323275Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:19.998{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5B04094083EABFFC5E3D2B184D6966,SHA256=5065C35BCB0D9603BB9DC7CBB8F752704EB8E8900B73196C0641370261BFC502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369844Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:21.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFD24E1BD3C38CBC22BDCC3BBBAAD49,SHA256=A08D50A94675C545C66CB96711E9104FFE4E9AD54F41F5B1864E7102F8AB0535,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323277Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:19.781{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49964-false10.0.1.12-8000- 23542300x8000000000000000323276Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:20.998{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3618237A420DD324FF416A9A705FDFCA,SHA256=578870A47ECFF44FDEE647267303FD880B4AD28A0EB5E4962F8B75B5F3544AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369843Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:18.157{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000369842Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:17.602{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-55591-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369841Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:21.133{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EDFCE96AFD92EFFED8DDB3EEAA4C1F8,SHA256=A5AE3E80715412DB7F24AF9881B2C848049C0D1D06A1FB14C11A6FDC9878F340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323278Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:21.997{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD4165FF64B1A5D30359F4902CE289,SHA256=9A1759CB70D54C443D969BD21B01F507A00007ABDCCD4AA272EDFF30073993BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369845Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:22.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C991EE76B0FDEF8125ADEDEE82C2B664,SHA256=69414FA2DEB7EC9F0D7F24230FE9E95273DDEDAB28D3B5AE29BA76539BBBC946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369847Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:23.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1409A556249E861D806C6F6323EC424,SHA256=DD5217D38FE1BD7670746223C32D561F5AE0A34C55556697828EE3F2CB7049B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369846Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:23.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383B3A3529B0CB4CB2DB998AE35551E8,SHA256=512109851EC3331445E35D499C7697581A2837DBD4EB8B39E08E3B920FE67E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323279Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:23.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89872422235FBE550CBE130BE00E2DA7,SHA256=C084F2817667B12FC7E46A5930012F045F0220217A5940CD0E214665CB434A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369863Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.461{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369862Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.461{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369861Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.461{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369860Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369859Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369858Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369857Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.445{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369856Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.367{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CE336DB6B5160BDE526B95035AA427,SHA256=BC514709B763FEE3BF45412D894D8510DC9BED4814BFA9D61B492F051DB09C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323280Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:24.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7155FC58A784E172EAEC7BF61F066C,SHA256=7C19810517168232804A26B9975F6F927CC648FBCAAA3B3ACC08C98073EAFC72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369855Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369854Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369853Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369852Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369851Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-5F30-619F-5B01-000000000F02}5284C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369850Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.336{27B459FE-5C05-619F-B200-000000000F02}47484988C:\Windows\Explorer.EXE{27B459FE-5F30-619F-5B01-000000000F02}5284C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000369849Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:24.283{27B459FE-5F30-619F-5B01-000000000F02}5284C:\Program Files\Notepad++\notepad++.exe8.192Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\1.ps1"C:\Windows\system32\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=40BE20589D819C3C9A40CC6F0D730560,SHA256=69652BC3169A746975C9BE917E80F4573BFC6E35844BCCC2AAE2621D9FF573A2,IMPHASH=3BC3FD4C1203B4D6795EAFD8E6CED030{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000369848Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:20.386{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6865-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369866Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:25.492{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A5C98087CD69C40F09C86ECF063066,SHA256=F82B514AC678AAAE4E171068946859999E2CD11E23DC8F3B438C05087AFCD158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323281Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:25.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCF630E15801397B604D5160F25B672,SHA256=809B13AE61EA1D3CFC1E54B4AB055D94573C0527DEB31E73868B9FF81233E4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369865Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:25.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A97984485F36BC98AEBB4028FD0258D,SHA256=149555880A0C8013025ECBBA28D6FA773DCECBE5116F44E40060F33070B4855E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369864Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:22.605{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-15451-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369868Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:26.492{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EB352E072732D2927B8298CB8DA470,SHA256=B6891B6400D589E34D61695CFB1A737E427C421172C1084DFE1779A942A31413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323282Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:26.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3879C9A7209BF8F2ADA8F6D8D79881BE,SHA256=781226521226FDE9B3007A7476B2E50039265AD9DE71634920A03F03B366F717,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369867Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:23.200{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369877Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.867{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7584EB52F5C636DEFD7D926B6DD79436,SHA256=840062404C7FA8B9CE83DB7417BEB35D3BAD943A6FF55FDDBBE35C3018DDAE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369876Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.508{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871136794EDB1DFA6CCB24A73F48EDC1,SHA256=C89BF3EF6D6927F83D8036DB76F603D71674D14A174E44033778CDF1F59BE322,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323284Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:25.702{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49965-false10.0.1.12-8000- 23542300x8000000000000000323283Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:27.012{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787A01E291AE29195F4669FE4FDD920C,SHA256=D184F5AD9924F5E733E40565403CB80BE6476F64122E949341ADE1D30E523505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369875Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.320{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369874Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.320{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369873Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.320{27B459FE-5C05-619F-B200-000000000F02}47484860C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369872Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369871Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369870Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369869Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.305{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369879Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:28.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C3ABE11EA78C3203A5E3FCF616E86B,SHA256=4C3297BD6DF2BCE8EE0A171AB114A3B5FC2D17711CBB15DAAD66994A854A40D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323285Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:28.011{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CFE504EB2799E4EFD153A8DD09E295,SHA256=522976E96D6F26D060DC2B223455C90584B0EDECDB1AC1191CDF223ED1FEC5C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369878Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:25.057{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-23719-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369882Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:29.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E99694B2901059FECA573ED8DFA6765,SHA256=D9EE57593387FE0383AD7FBAC9D7A9D34794590903A9B4551145F9329660D56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323287Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:29.370{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4CF8514E38C61DFAD174D27039E1AB3A,SHA256=09B5E1665C4E5AC6589DA64EBFFCE4E0CD23D6BAB0135526B1E912DD91771AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323286Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:29.042{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BFE0CDEF492C691E25600CEB76DCAF,SHA256=BB12DB0440E7CA88FFE4DBA06AD2131053E15D7DBE88C55801134CD795077173,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369881Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:27.151{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-31735-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 10341000x8000000000000000369880Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:29.352{27B459FE-5E7F-619F-3A01-000000000F02}4176424C:\Windows\servicing\TrustedInstaller.exe{27B459FE-5E80-619F-3B01-000000000F02}5476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7d088|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369887Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0323160E478EAAE3C98C6C809CE290,SHA256=E1D5F04E4C163162C1ED78D93ABDE30F22BBAEC0C31135DADF1955A67D43A9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323289Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:30.198{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323288Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:30.073{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FF63D410EF4703B215B8CA96E6BF58,SHA256=6AAB977508FA350AF061887A1FF9B8EB04D9DEADBCB77B3ACBABD1D8A1A197EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369886Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=541E899F62D39CB0515890AC262698B0,SHA256=3135E5257771A2A4D5B65F2DD85FB7CD4B057633132E71E8A9BEA71D89C0DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369885Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A9EA497967AA38042E41EACD68B22851,SHA256=466068DACA7BA478D6628F2385A49B7C2367412FE0B482144B7E04ABABC3A3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369884Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.242{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A4E46915EB748E3F41864C8417CE4BF,SHA256=EFB6C07994D1BE986ADAA9BF36511B82F0836C27F6CDAA17A1D5541F0ACAADB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369883Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:30.023{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54E2C18DF7CFCF2A548A754F2065E88E,SHA256=1F805073BA3A80CA838C258E15E0623710C9F51E27FC0C908D807EF9274B2F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369889Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:31.523{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC8FBA421D0645DAB49ED8E82FE5BCF,SHA256=1A5237FB2151CA6144B6430B9CF9968535929918B3E23BB2425485343AD9A138,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323291Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:29.750{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49966-false10.0.1.12-8089- 23542300x8000000000000000323290Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:31.073{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA030212150819DB614BB77BF35F6A3,SHA256=8F0DF7A85432887662EE7913AF1DB8C876F6E23EE2D0E7E30BCCC778E64DA2A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369888Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:28.216{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000369891Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:32.539{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28217D9CFF1F08A9990786B6FE2ECDCE,SHA256=88DD5F3502B6C4D9130ADB03E04104E7CDF3041E25944089A29E64CFA19790CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323293Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:30.828{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49967-false10.0.1.12-8000- 23542300x8000000000000000323292Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:32.088{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD110E3A5B3A1472279A3787A5F180,SHA256=46D7BC7DD4327C187890D407C2A56EB8012005EB9308887C055E347CBF159329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369890Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:32.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1008F046102164CB2AFA42728B14AEB,SHA256=991606D59E7B74B9E605DD1DD6014675AC975FFBBFEFB5CFBFEFF230F23B7589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:33.570{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B5C14BE73FC72CB78262B281DB97604,SHA256=2782028854500083F29F0925C01C99ACADBF253F5144187F202D5EB1F9190714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:33.555{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DFEB79E594E7AB1A3C9A93A50C27B5,SHA256=B9BEE60F3A048D51510A16C97C6D0FA31AD184C3E6C81821A03FEEED8E4E3C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323294Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:33.104{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61390CBA82CFB4CA6D1AA3DCC76BC078,SHA256=36F199176EF7FDEB20AB60DE12AFCC3628E8742AC0A5412BC87213D160CCFC82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:29.434{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40103-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:34.586{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE779C3D52229E7A6D2DF3CECF158267,SHA256=C341624DF4D5CFDCCE392825ED05A6AA74176F1B36171BC0BC2B4BD5643687DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323295Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:34.150{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38233F1D2069097E9704E711FDA339AD,SHA256=25CFCC947DFDF4399EFEED71428BC55C9EDC2798E867A3165C5E8E1DC2B31C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:34.399{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2224556229BF17A75695A0F63DE3155B,SHA256=21E1E7C28959C7FC638649821C6EDDCA000843EB2A2D7B632AA3580288584F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:35.586{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C716BAB17F344301357E3D916A7D2527,SHA256=245D590B8291B060B244CFDFF76FE50164560E8CE37B1E66B76D13F43FA68CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323296Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:35.197{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A72E2B5B076843C39611810559532,SHA256=7B0576CB2586A132BD53768DE71E5CDCBE63E8E0167DDA2F83F3A8D023A1BB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:31.903{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-48842-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000369899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:36.774{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEC132381E3A0CFF9576FB3A994DDD5,SHA256=FEA0D43798004F182EADE506043BE4EFF6E9F57E195CB2B08D8A2220E7CA751E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323297Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:36.290{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD337927AF20A883FA5518C69F8DFA5,SHA256=245FC27AC71ED9B0479769878E79BB046E64D75914776BB6C5587131678BD10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:37.789{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B013831B319DDADD3AD97C554EC7D5,SHA256=594F6BB241707A3A42564D8F7D242A73D57FEE8832AA9E89C973EA32F9487E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323298Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:37.321{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA78124CFFC39891B8B4C07320495F8,SHA256=D3733F529ABEC5C72D59EE7ED1E7743C27EB1E8BA546505CE516B30011720959,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:34.216{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323299Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:38.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FFF9F6C637DDDAAE6EBDAC2696A41C,SHA256=7175207CAAB843D726ECED37ACBF334C8C6F85DECA8787363DCB589570962620,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.790{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000369928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000369927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000369926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000369925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.760{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.742{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000369911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000369910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000369909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.711{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAA0C04CD904C6D8F924578DE835A8D,SHA256=4779441C7C72421F62B7F3168BC8A63EF34EF007581000F6ECA4CD8191DB618A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.696{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=245DF3024708E27F86E9F1430DADE601,SHA256=3F992A966754AC053CA3BB5D2A6FD799EF72115213AD9721E036496F116A9693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323301Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:39.383{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70C7E6B0B79BD7F60CB6281A4B20B77,SHA256=6E7CCF2BB4630E0571F7290A91F0F4895A6CAF980991D62E61E396489E516BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+131ba3|C:\Windows\System32\windows.storage.dll+130e1d|C:\Windows\System32\windows.storage.dll+130d31|C:\Windows\System32\windows.storage.dll+130cca|C:\Windows\System32\windows.storage.dll+9ba99|C:\Windows\System32\windows.storage.dll+61d16|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 10341000x8000000000000000369969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+139883|C:\Windows\System32\windows.storage.dll+9b910|C:\Windows\System32\windows.storage.dll+9b867|C:\Windows\System32\windows.storage.dll+9ba37|C:\Windows\System32\windows.storage.dll+61d16|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a 10341000x8000000000000000369968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+137543|C:\Windows\System32\windows.storage.dll+61dd5|C:\Windows\System32\windows.storage.dll+61cf8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000369967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.995{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+61da9|C:\Windows\System32\windows.storage.dll+61cf8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+13225c 10341000x8000000000000000369966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.980{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+e5888|C:\Windows\System32\windows.storage.dll+1a3c19|C:\Windows\System32\windows.storage.dll+1a3a75|C:\Windows\System32\windows.storage.dll+e65e6|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000369965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.980{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.980{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF819AC3F14FCF7B919C0AAE0BDF4D7,SHA256=CDBF0C708CB8801FB5B883EE264B73F9C8C16C4385D58DD1F4F8C37B0E1E93DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.573{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.573{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.573{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000369959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.227{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A32CFE3EF4B3E407632786716F10E76,SHA256=937044AE2093892FA1B48372409629E0196AF70EAE55C9B84772CB2D081F6AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.196{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358C28C0AF735DDB78291FD82E21E403,SHA256=EA26FFEFEC4A4C230BFCD07E86D8CCB9F982E38141C5A771673FC6C4FE4535E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 354300x8000000000000000323300Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:36.719{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49968-false10.0.1.12-8000- 10341000x8000000000000000369956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42443440C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446140C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42443440C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446140C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445136C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445672C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445144C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446108C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445672C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446108C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446060C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445144C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445336C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42446060C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.086{27B459FE-5C04-619F-AA00-000000000F02}42445336C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000369941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.071{27B459FE-5C04-619F-AA00-000000000F02}42444260C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42445876C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42445276C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42446100C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42445724C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42444064C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42444280C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000369934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.055{27B459FE-5C04-619F-AA00-000000000F02}42444264C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000370024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5B27F61903E8D2CBD69D7270D8F0AA,SHA256=8818BFF91D7D658EEA770DF134A833A09B816BDF023A70B0C481F168D3102BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323302Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:40.388{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8399E5DFE70DC06178C4E61256611AF3,SHA256=C2F02FA9A4C9F5969BB3165A629D14E9EBF6983A9C5F05F97BB7F61E7AF49D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.776{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAA0C04CD904C6D8F924578DE835A8D,SHA256=4779441C7C72421F62B7F3168BC8A63EF34EF007581000F6ECA4CD8191DB618A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.464{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.464{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.448{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000370009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:38.014{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-59358-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.198{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54D26470EEFFF3AC8213F1192B855B7,SHA256=642BA8980C5E6085EB26D16CC57EB6BB09149856BE398018C992EE09788CBD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.042{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000369974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000369973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000369972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.026{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+2a3075|C:\Windows\System32\windows.storage.dll+75263|C:\Windows\System32\windows.storage.dll+752da|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000369971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.011{27B459FE-5C04-619F-AA00-000000000F02}42444228C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.storage.dll+e570d|C:\Windows\System32\windows.storage.dll+2ca532|C:\Windows\System32\windows.storage.dll+13b515|C:\Windows\System32\windows.storage.dll+74b46|C:\Windows\System32\windows.storage.dll+2a2fd7|C:\Windows\System32\windows.storage.dll+75263|C:\Windows\System32\windows.storage.dll+752da|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d2eb|C:\Windows\System32\combase.dll+3ea52|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3ec5d|C:\Windows\System32\combase.dll+61faf|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 23542300x8000000000000000370025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:41.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C245A320682C626D83FBCCB2E782B72C,SHA256=E3989075F5AB570FDAEEEF562EE73F4C5680398E32482CDB55F869FDE1C59D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323303Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:41.388{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AA5D4F6C7477C0DA974F8E2DEB0A30,SHA256=2F8DB010E0CFB34D7DA769DE433243667869E70BEAF326A5E3A918EDB868D5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:42.792{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A81DD99982951647DA575A7A7F5D639,SHA256=A3B81EA7C6D385C7B135B7719564026A82F03E07DB44161A63EAABF364E1CBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323304Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:42.403{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADFF61C6F1C84444E66970EABAAC599,SHA256=E55A8B0CD2EB5B2921F8ADF373EDB6F676FAD0F1717DA64F97170D956E448A6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:40.203{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:39.997{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-7477-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:43.823{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455955AC8EB57D20C7B23B95C3808BE0,SHA256=3F05A55E05A0343C75DF58F754CCDE3DCACFD8DF3B6C58935885BA625ACF5DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323318Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323317Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323316Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323315Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323314Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323313Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323312Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323311Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323310Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323309Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323308Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323307Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.731{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323306Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.732{99D2EDAA-5F43-619F-1A01-000000001002}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323305Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:43.450{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39463A62CBA2D5D48128DF2393D28A8,SHA256=6F014D4745435CC8E179EC9424631C50010563F2022270AD09238BF0BC70F345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:43.120{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=403F0EEC0E48E70F7801D0E9604287DA,SHA256=16192B4AF5D68F9DC0864809DB2135B6F3E6F91B7D4A9FAE1C1F125D3EEC9B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:43.120{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8B843DED71DE6E508514F8BDF6AB13,SHA256=B05330DDD81987B8270F2AEB24ECB0AB148CE91F72DD7A240FAE6247DD371A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:44.839{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3746E777DF7662FED541C6BFB7EA2C5D,SHA256=966784050824321D306956D337A5DDB743BC1EED159F7225FCDDE8D3CB310638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323334Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323333Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323332Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323331Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323330Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323329Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323328Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323327Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323326Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323325Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323324Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323323Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.887{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323322Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.888{99D2EDAA-5F44-619F-1B01-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323321Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.731{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A884030362072875741D7DD15AFF7D2F,SHA256=1589A1CE24D158CC08387A9D6DF06922372F53B914035404B4F086D52FF495C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323320Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.731{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A106C1B4259B0250DAC0A14E664A8B2,SHA256=6C077E6181AD6E5A3FC23DDF7216A54C73C072DB1EA2DEBA1998FB110D0E24C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323319Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:44.449{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8764B6208E1F0D9A988151EF13B5DE1,SHA256=06C6ECB9ADFEC313D5C960B66E2666FE51EEBACCEA8093A1794490DA8D7D995C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.839{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A496CB2F5CD8AB9B21E658E2C031AE,SHA256=6AFABC630E0C513D5B62DDC73F5FA1089AF59453B2CE068B43CB2BB39DC1BFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323337Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:45.449{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C34E06726A53BB10D1BD016AFE3C9D4,SHA256=F949C5410B2C929EC3D963768C505CD7C53E192F22F0C36D919486741FAF34B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.792{27B459FE-5C04-619F-AB00-000000000F02}43364660C:\Windows\System32\sihost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.745{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.745{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:45.745{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x8000000000000000323336Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:42.661{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49969-false10.0.1.12-8000- 10341000x8000000000000000323335Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:45.059{99D2EDAA-5F44-619F-1B01-000000001002}2856956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323352Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.465{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610A9F12F0C77B1348A15883147FB359,SHA256=03C63C4A58AA0C8C8814888FA7C6B6C250D0F99BC116105249E32CB630EAE58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.261{27B459FE-5C05-619F-B200-000000000F02}47485116C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000370062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000370061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.214{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.152{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.152{27B459FE-5C05-619F-B200-000000000F02}47484616C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.136{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.136{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.105{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.105{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.105{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.089{27B459FE-5C05-619F-B200-000000000F02}47486028C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323351Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.105{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A884030362072875741D7DD15AFF7D2F,SHA256=1589A1CE24D158CC08387A9D6DF06922372F53B914035404B4F086D52FF495C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323350Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323349Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323348Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323347Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323346Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323345Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323344Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323343Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323342Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323341Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323340Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323339Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.058{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323338Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:46.059{99D2EDAA-5F46-619F-1C01-000000001002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000323367Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.714{99D2EDAA-5F47-619F-1D01-000000001002}9402836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323366Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323365Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323364Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323363Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323362Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323361Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323360Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323359Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323358Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323357Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323356Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323355Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323354Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.574{99D2EDAA-5F47-619F-1D01-000000001002}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323353Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:47.496{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEFA5DD954BE1BCA456FEE1EE1440CB,SHA256=18B9C35DBDAA21A94006037A59059F57CBE6005551AA9E1E2769A5E003E41303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:47.933{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80AB09ABE9663FC3C5BFE1CD0EB0F0C8,SHA256=66B507600CC5F5E89E56D8E062FC0231D7FD03B792A4D9E2A59E061823633B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:47.183{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455FC03DA86DEDDB0E3F347AC84696CA,SHA256=376AB2D111C53D82E4C78C8FB199143EA943ACB7FBF654ACD63637AEE90B9523,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323383Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.808{99D2EDAA-5F48-619F-1E01-000000001002}352348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323382Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.683{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8577C058BA021889EC779183AF66FF27,SHA256=522E10E7D589538DF5A99B428F830038B969D0A81922713248F59E2E0441BBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323381Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323380Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323379Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323378Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323377Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323376Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323375Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323374Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323373Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323372Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323371Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323370Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.636{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323369Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.637{99D2EDAA-5F48-619F-1E01-000000001002}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323368Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.495{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1080172BCC1F08F3961FCA3E03A9818C,SHA256=E0921F12F645F09073D5329DA9A5A1757854CCF0DC38067F3FB8976310E01161,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.964{27B459FE-5AC5-619F-1600-000000000F02}12881944C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.964{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.949{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.949{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.933{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.933{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.887{27B459FE-5AC5-619F-1600-000000000F02}12881944C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.887{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.870{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.840{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=692316D91A25AF8B547C462994F398F4,SHA256=A1A6B3DB0E6701A3F69D479348C7BD3CBB3AFEE4BD4225AF550EBB6B28BBEAB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.840{27B459FE-5C01-619F-A300-000000000F02}13445396C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000370081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.840{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5C01-000000000F02}5216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.824{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 354300x8000000000000000370076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:46.141{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:44.931{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-20258-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.511{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.496{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.466{27B459FE-5C05-619F-B200-000000000F02}47484852C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA5CC7)|UNKNOWN(FFFFF08320EA0351)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320E9FFD6)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000370071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.466{27B459FE-5C05-619F-B200-000000000F02}47484852C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA5CC7)|UNKNOWN(FFFFF08320EA0351)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320E9FFD6)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:48.183{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A844A71E2A520D83992A2078E172F69F,SHA256=AF3236E15936EBC2F0E6943FFBC46EEDC7B2F229912DE8828A4D80F551DE9D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323398Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF35571259EFF5CE402B6AC07955EA83,SHA256=36E755A90BF330FC77CEE927D0E26259D34856A34AEA124692317A918FD8AE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.863{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D37740FAFE10D1E0E9BE36DDB938ACE,SHA256=2829FD815777D1B6F745D0C1EA0333F1724D969FE074EE2CEDCD084400F1A21B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444900C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444900C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.353{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.252{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.252{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42445472C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000370097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 23542300x8000000000000000370096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F435AA4A67295E581DB34C714818D45,SHA256=C5D5FDAAA4D6D4F9355ED7065C45DD5A357DB3837B1875A4C7D910408ECB8DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323397Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.604{99D2EDAA-5F49-619F-1F01-000000001002}32401364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323396Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323395Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323394Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323393Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323392Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323391Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323390Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323389Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323388Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323387Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323386Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323385Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.386{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323384Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:49.389{99D2EDAA-5F49-619F-1F01-000000001002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000370095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.108{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000370094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.108{27B459FE-5C04-619F-AA00-000000000F02}42444452C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x8000000000000000370093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:49.027{27B459FE-5C07-619F-B400-000000000F02}5088ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\R31MDF37\microsoft.windows[1].xmlMD5=D5177F7FBA6E1A60FAE687905CE97B15,SHA256=C0FE9E1A6041D21165134BE18779E7C9DA7F09AB70B5D697368D88186DA85C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323413Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.964{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3C0C50E7A370A8E84AE5DC09931759,SHA256=B29A3A91EA7FB029B491523663F4685DA100559E742BF9E29270B5F9654C2EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:50.894{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8593A273683D5C9C1C86B4CBA8F32BA6,SHA256=78D30A52E4C61DC06EB05107D0DE2A2D26C571CE078284B535A6102279885BD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:47.302{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-29161-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:50.472{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6162B320A314A47726EA5C6DB661F,SHA256=E96392082A02DFB300DE77F99758C295F857D669938819A800B4A9237178C9A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323412Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323411Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323410Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323409Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323408Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323407Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323406Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323405Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323404Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323403Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323402Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323401Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.526{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323400Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.527{99D2EDAA-5F4A-619F-2001-000000001002}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323399Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:50.417{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B874AC6C35D425E06F7F608F98C7E456,SHA256=E1D561CE3D8B289D44409D16F9E466E5735A4C6B302226A97F07612677EC5FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323416Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:51.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89BD9BE0F20D6E2359799E5CC2030A1,SHA256=32736FC45498903319DE543608A5C2509C7740E680D016E96086F9728B4BC2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.722{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000370115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:51.488{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BB8B81C3ADA8AADB29990D1DF89DF1,SHA256=74F63C26E85AE8CE5AF445B7FB9507CFD8B51275E225E28E9FF1BA8DF8ED13D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323415Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:51.542{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50337E95F0EEAD72EF87645572148953,SHA256=FB0965D5119EBA60DE28F4A938006218450146E67F2A552EF7966596E9C16EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323414Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:48.708{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49970-false10.0.1.12-8000- 23542300x8000000000000000323417Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:52.979{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84FDB6E75A8BF0A5D8764BA3AA5C60E,SHA256=4164B876C46FACB3C118682BEC5BEC3221E3DC0C1AEFCAFDDD75410BCC494D0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:50.168{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-38559-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:52.488{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71438258B247B4CC8A665445F8D930,SHA256=A034127CA81D046E46BD747D7F9E0F69EE8AC1AFAC0F1EB512B037511A1714F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323418Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:53.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF84B26A1551261318DC1A44FBFE0C67,SHA256=7BA0075AA1A47DFC097EE994DA97335A7BC3BB2830BE5FCEAACFA21AF3A26DEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.785{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.785{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000370136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485456C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485456C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}4748324C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}4748324C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.769{27B459FE-5C05-619F-B200-000000000F02}47485036C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.753{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.488{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7A75EF920F2132367AB63DA13762B4,SHA256=E9E5F2C7651E9BA6D3BA035915458EC3CB9B192857D43BFF0530B2C8775D2E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:53.285{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B47DC31FA54C829183F173DB4FFCEB5,SHA256=AD346AAEA695C5DAA6BA44D98EA5E3067E6EC1FDA0A755B172460F0222C7E681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:52.117{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:54.493{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0727EFDABE79F17FC96076AA3492D666,SHA256=5082101BFF70F1FE0A700662DE917FD3180390B138899E4AD4EF61E160AB6A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:55.493{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC21738817525B8474DFDEFE297AF8E,SHA256=9AD9B3CA1F8DE0159787510F9D971CF71F9168A761C67125E081E921A0E1F886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323419Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:55.025{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2FE94AF2506D8E6ADB1FF551419B1D,SHA256=EBA4BC9A6CB18FF67A7169DB4B594BAF578731BBBD495F57A80AE1462B33D885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:55.462{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C44CEA17BEE44B9EC30917E808D61E6,SHA256=1D2685414B707798223FE1944E308C9E6CF21160EC3713649D01264AF855D9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:56.493{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E463DB1C09B892F82E0A0C5B6E83A9,SHA256=6F9E086B92024735FB953B56B61EA2D7C16CC8BE5184919360E2870651BAA094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323421Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:53.771{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49971-false10.0.1.12-8000- 23542300x8000000000000000323420Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:56.025{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3F295002A2CF6ACE1E6321DE116D2E,SHA256=7D24F40DC9582FB74E4D721FF9615649487CA22B13F018A0108DF1CFDD51A7B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:52.622{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-48156-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.790{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EC6E360709E4CDED3E91B6133FBA42,SHA256=5C2D59223B34F08986AAC0A0C5FFA627D4559F243DD83CA032B457702BDE9FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.509{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B1D4E6A550E30030BF50EEBE2709C7,SHA256=ABDFE0156531C661BA3FF26E6A62AEA3A6ADA90FADB0F71DC2694784AE21E18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323422Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:57.056{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBABEAA87A0032189420486801D0FA4,SHA256=E1ADEFB5DCF6C97C52CD867F2AF8986790767105E1F63100323212873C52466F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:54.815{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-56463-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:58.509{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D164B5CF6438970EBAE36909A39CBF4,SHA256=768FAC811F2FC73BD7855B3FC9E660C626A0D1A8EC4092A444538C3B928ECA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323423Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:58.072{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE4AD82A693C2064A28AB45559573F7,SHA256=C9D9977103B11CFC23F6553236F8BF321CE811F4DD92601D13AA67469F34C759,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.201{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:57.030{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6604-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.797{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C68C187FD5C56454757E0D7AA4FADC,SHA256=05360579CFE38A26ED749B784FF1525C72FF3E91149AA386D60779D2C32F4B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.516{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE92505EA25DBD7ACDDBB2091CB34FD,SHA256=D17540FF355BF8623ABD82A120C51DBE4BBC238BD98A745DFA84DA5715118468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323424Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:59.103{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F788146A9436B92F042C6A51E38E49,SHA256=EE6AEBCA57C1F6FF5D73286FBBC93F8044DF51AEF7CD9654C4F23DE30F150329,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.212{27B459FE-5C04-619F-AB00-000000000F02}43364368C:\Windows\System32\sihost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.040{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.040{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000370149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:59.040{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000370164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59356140556E22F3D707EB166A6A55C,SHA256=FA2A5D63D73F264B8A41428BD2559F4682B9A39BEBAC056155F96129547EDFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=25619E51DC1F4003FBF09D9D25E9FF39,SHA256=B91EA7C68C096ADE192F1E6A3D93DF5CC645BE0B7914238A9D5BB68BEFC95DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=541E899F62D39CB0515890AC262698B0,SHA256=3135E5257771A2A4D5B65F2DD85FB7CD4B057633132E71E8A9BEA71D89C0DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323426Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:00.108{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B748FC45F15318FF2254B5CC6B00B5,SHA256=66EE99B2526DECE9A5BE7C4C764EA184C247FAA8AD5D359CC03B1ECA66656B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323425Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:00.033{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-018MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:02:58.979{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-14328-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:01.626{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF6DEF9805010629CDC8F3B0E60DC4A7,SHA256=173901A73F7C458209A7256504D74157A80B31821636ED366315410B7F7DB751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:01.548{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4970A054388E2891B485CBD5163677F,SHA256=BF3DB79EA6200780F5834DA491AD7B62541A58D330CABAFBFE7A0DBE61251FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323428Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:01.122{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F4A597CD81DAEAB3BA87333F09CA3F,SHA256=72689942DD5B6094027835A69A3BB4EB511E387B7CE8C3EA7E209B576CE3BD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323427Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:01.047{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:00.874{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-21587-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DFB6BDD7EFC0E92A7B44CD785F15A8,SHA256=063265A1F58E960C0B5490309EB8DCFB59840D3CA72E8F9463D18D293D54B3A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323430Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:02:59.776{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49972-false10.0.1.12-8000- 23542300x8000000000000000323429Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:02.125{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044765D67CC3778442D196142D436065,SHA256=5148961EFA8C734AE7E119E4CCC16A955990624928627109E82CF3FE17BDE100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:03.985{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD4363546EA93D66CF096905D2B6FE8,SHA256=EE18D1840BF5ED1736886F947DCD2BFCB6D0BAC938D9BBE5400CCE89B762805D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:03.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66477E1F1654BB9DBE381C3CCACBD20,SHA256=C8CEEAFE7B4660D7C218206741083F3BF21F4EA46873D6AD0AE37C64296A2FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323431Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:03.140{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB3A0CB527B66DE80B47CB5DB3CCDC5,SHA256=AD93CB4B5B07056C80948F2DA004C3040E59BAB630B2EA97456E000118878ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.579{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABE77210EE657FCA6420DF0B29E9C34,SHA256=BE86EFED22B16D05EEB76312362E760D233904B13E2F51DC50EA4C2E8F731F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323432Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:04.187{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3447D034C0CE4C3CA9D7EA80E29E308,SHA256=6C784AD3AF85976B6A9D9F29B90328D5F861CE67D83BE73A6D5E7E3447F6DF07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:04.423{27B459FE-5F58-619F-5E01-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000370194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.610{27B459FE-5F59-619F-5F01-000000000F02}59485344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E967C705EE740A841B4991BC1574314,SHA256=D4614A1ADB04FE5F98FABBBE2EAC5B71B5A5FD2F2AEB92842D7F29420D03C04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323433Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:05.202{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F3279D6ADE151A5F2CF7A3AACA6D6F,SHA256=B9B92BE790F5676469921A2E4964EEC25E28A477F3C83CBE584D64FD03E72AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.455{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B179E3F0F175157FA3912927C8F3D4B,SHA256=72A9219B3D7E0F8217DC0328BA936D479286D35630C6DEB7BA66921486D437BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.313{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.314{27B459FE-5F59-619F-5F01-000000000F02}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.599{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58866-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.599{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58866-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:02.286{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.611{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26DFAC4AC4556A5B4DECF1AB165C617,SHA256=7D6BB9829539A00B1A237F6FDF3B0BD9DD397E91FAF98BF563CB7A3F8BBC9C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323434Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:06.218{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0DE5F3A337E44A748F12DF529308C5,SHA256=346A1EC6BE30E0AAEE925E9F97A8CD42829D0CF7B5C5AD221F668914BB6A2385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:06.470{27B459FE-5F5A-619F-6001-000000000F02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:03.227{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-30530-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:07.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD908428E1175DD1244AC39F601CC87,SHA256=683D4D7D7811599AD9BB4EFED9E16975F212EA678E73BA562F85359C880D66E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323436Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:05.793{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49973-false10.0.1.12-8000- 23542300x8000000000000000323435Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:07.249{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689213BEDCE5E42AC4C3406100FC9DD4,SHA256=C80CCBEAC2D20FD94374272B3A0E9D5D19E03508FA3BDD408A69C15FFA409B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:07.470{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7FE5FB88A6DD11DE79C33A9E0B81012,SHA256=C53880AE258842561C086F0384B026E3C4F20C112AC2FCD9EAC1A4B17DC44926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.938{27B459FE-5F5C-619F-6101-000000000F02}46405816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FDF8A8497B33B2B54E443E56DAFEAA,SHA256=CAD757BF1D760D0FED23EDCE15DA7D2368A75FDA0145FCA40675D6CCD33F471A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323437Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:08.311{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523536B956B85F6754C62245E1732D76,SHA256=A318828B45301B13401294E8D6D27DDCF0EEE2B77B2682CE82C418FAE12D527C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.548{27B459FE-5F5C-619F-6101-000000000F02}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:05.622{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-39462-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A542D4371861723723B338C5101E63,SHA256=F34E18337AC0DD62867632E87BAE8530E1B5262E3A40ECAFFFEF05614BB8A534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323438Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:09.327{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1442401CB699CAB33CC5B76B2B7673,SHA256=51693F71ACDE62B4CF131027727F4041EFDDEAD35E3B61B52F4BBB96B1647B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.548{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1525529742FD70D79E6FB6BF3F64BF19,SHA256=AC63C4CF51F0E6510586AD03EEA3FFFAA93F4207B8FD391640BDB91FD08ABBA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.376{27B459FE-5F5D-619F-6201-000000000F02}41484668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.096{27B459FE-5F5D-619F-6201-000000000F02}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.829{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71474FB8C3523B5D8C1E79B99569BD04,SHA256=5A3550BAFDA93C0B4967368A36E633BA2E65513FBAA234F53FC35DBC68A0CC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323439Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:10.327{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877F1F505FB61879B29719ADF838BA72,SHA256=E9F39D95E22AC973A14EDD5287465B15963D52E3AC1FFA938D9FD042C0FF87A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.407{27B459FE-5F5E-619F-6301-000000000F02}60044652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:10.095{27B459FE-5F5E-619F-6301-000000000F02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:11.845{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74A84C8CE4D4F3E20E70EC823401DF6,SHA256=56E2496BD23EFF8B87D4FF2C44E257BF4CF6114B0AC362471892050BE9E3992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323440Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:11.373{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232AEE907FE7F9128050D36DBEBAE094,SHA256=0730B14C678352F562493B3F3FD3557A935D5D7AECC6D24473053AC45A3F0E72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:08.083{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58867-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:07.701{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-47640-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:11.112{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44003E75FC1A01291F37A606152F1448,SHA256=08B0632CF0B03852A51780E92BC935444505B96BB5E64971D68C77B0E9136527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.892{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9518A19E1A51F2F7F57AA9FB719F2D60,SHA256=C946DD0FD2F0B6804190536F1A59F2768DF7956F8B9AD6675E4B9D651FBC9FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323441Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:12.451{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77C752BC85EC1A5954706A94C5A9FE3,SHA256=764DDB76CADAF5E69F8CBA0B849A331FD948C54167DB47E22CE7A24847EE81F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.454{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA37920234D6BD9416084C5741D39373,SHA256=26B21ACB3E411F4E4B0AEC5019294C57B849FFEA9093C6E89F240FD4B5E8F6F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.079{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.080{27B459FE-5F60-619F-6401-000000000F02}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000323443Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:10.824{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49974-false10.0.1.12-8000- 23542300x8000000000000000323442Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:13.482{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5191D4769FDB263ED5523E66CDBC6DC4,SHA256=B5E69AF043C65F09A6B0730B7C3AFEE2E48CEFFC7298F56E11B2769A8BA4EA7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:09.717{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-55873-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000323444Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:14.482{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB43425538992088BCCC7871F209B60,SHA256=20124750D03A7BCE852ACCEB675394A4BFA02C6727EAAF11B0127BFD30E03B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.985{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D14687377A69B458670FB12D47AD2D16,SHA256=E08B50A45B2FD988F63B1B0160701B86D80F43179BBFBBF37F69C5C4BFDE12CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.657{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.329{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5FB836248DB52CCF29D7B97F0624D17C,SHA256=1DF0AB38B60117853AAE1AABFBA25702C794EE8CB4E2FACF35D10BCB18553F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202138A66E80802BCBE54D8E0F6B7789,SHA256=91408E987AD3275F942904E11EEA548490153133903F1FA609726F268E679DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323445Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:15.498{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7119B5BE71C71009F5B877AD742FAC1,SHA256=77F4BAED93CD7C4A91DCD28F659ED2CE39FD5C82F20109AAA087EAB6FE3C1925,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:12.318{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-6427-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:15.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC4B21AE47F387FFE6608B6C98BA706,SHA256=6305D46B9A8EDCF8B7D9F3062082630A5DFE154D2FA4E66CA9BE88F5AD7B11E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323446Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:16.498{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783D1D0FA940786460F4BA30A3E7A4CF,SHA256=C44C22A0DC7AA583FC4AC5BC5B897F79195D2C1E4A57033E3DC94E879C78A1B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370263Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:13.677{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000370262Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:13.271{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370261Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:16.314{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5BB0149B329C132C5713BEAB80CF080,SHA256=EFD1391593A974FB0BB5EECBFD4011CE1ED3DB4F0D82FD273FB816AB69806313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:16.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E77826404D24B85BBA3D8321D9F2B7,SHA256=FA3A9DA94D0FE9EDD584C12767F52BCBE72E220C7D824D88727888F61859AF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323447Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:17.513{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C863DF76D62F23C4D2B48F05223981,SHA256=8BB6686190EBD5C303ED4E647F8786A0F162A5BB90B11F685C5D2DBE173FBD73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370265Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:14.122{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-13654-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370264Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:17.064{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E7E5FD788D3CADA865E317B18DBF9,SHA256=9196777A2C33F94D544691D1CB12488303C8B8FC756B1267DF17E5AD34AC5D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323449Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:16.590{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49975-false10.0.1.12-8000- 23542300x8000000000000000323448Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:18.544{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BB7B07BDB97553E7EB70F2F1DEB1E3,SHA256=D9DC4D76334D91AF5667CE03F603938725D17B27A7F9811781A41F88A61EA1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370266Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:18.079{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7271975ECEBAF6F6FC6B92D344D51B2B,SHA256=CEAE19BE495D3B0CC6B0A74750FF0FDF3A1FEAD26EB7180AE67BB1165C2340E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323450Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:19.574{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1711344BD343FD54E3B95EBA10B09A81,SHA256=DB3AFB78D383BC548FC65C08B5CEAE16800796E2CD329140FCADDE496E7947EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370268Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:15.710{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-19961-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370267Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:19.079{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD537882EB2A4B58C2D7E10205DA5A24,SHA256=489904B90D776F9E52E3C0B1B0E6784350B08FF59262453ECA4C8E87AA85C682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323451Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:20.574{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F63FB49545A3F42691E02B55C5C88A,SHA256=4C04AA64AD151056AC3F673B86B958FC7FB106F5D8D49D036069D9A3BD99D8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370271Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.981{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF538C73807769E4BDDE43ACBCF2504,SHA256=EE0D7966B7D1AE8186E5F89F3D96B2915BE35C6E22EBED53E7A0BC3863E3C4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370270Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.178{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-018MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370269Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.082{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA75375EF630F2BBBC32D5FB45CDDF03,SHA256=AA3F950A873E67649F84ACF24C97200544ABBB8853997A9A095A3D59C425B834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323452Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:21.575{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145B8A6138C9DF9DEB8136F1D4C8EDC8,SHA256=5217FF3250C4ECA40A66DE33E1817506C512F01238490A1F54654BAC4B7F5B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370273Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:21.185{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370272Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:21.106{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EB884BE9AF90BC78721F22A340F634,SHA256=0D2564709BC56F534DDEB9A583306BFBE062565FBE601974B335378AC355BBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323453Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:22.589{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B829336BB3287C2B4CE8C42516043C,SHA256=4F72C8E0AC90F5F86FB0BCB5D03D96637AD5BE060D53D11FD8931FAA543BF25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370277Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:22.458{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DAB6CF261745F91BFE8396CBBD35B1A,SHA256=41B8BC1C6CDE920C56618A7F7AD2CE17C3315118D4C6557CAD7843B65AD0EB0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370276Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:20.101{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-25305-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000370275Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:19.165{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370274Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:22.130{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF09D7865AB69341AD0A84A2CAD717C9,SHA256=600839D5F8F5B58C89437D6651C2B379571D7A30FE1A1322B41E94A2244EA662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323454Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:23.589{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719FAC5D792808D35010F4619A18BD1B,SHA256=2C91009847DAF133F17625825B0C59A164B84A205208DEBEE72B87B94C848490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370278Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:23.146{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142ED4D2D2496112F657772D243DDE84,SHA256=39368382310C564E92C864BDC7E9BA743C9F9DC7719D8C4CD4DD65EA68839D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323456Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:24.620{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257032ACDEA211912AA84C5905F10535,SHA256=1F9C95FC689EA4DD4DC27E373E32474FE9B7E187ABE06D701B3BB01B77B22763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370281Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:21.640{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-31131-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370280Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:24.146{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B45BBE68BBCF7821B3DAD3FBB0D9EB7,SHA256=DB3AF96F24562E6E1BD8A420A4AB2D5FC36ACC74C90D9C193D4CBE61311FC1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323455Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:21.651{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49976-false10.0.1.12-8000- 23542300x8000000000000000370279Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:24.130{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C985B2526911984D2716525CCE8259F,SHA256=D2140AAD94B6A98607C2AF241F3211A59A8AA6F2E1B0341DD7A2DEF78EACD853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323457Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:25.651{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF18A6D31E5F67BB307A2CCBA5F95B51,SHA256=377D99CC477FE1857097FFD8A646EC0B85D25B611F64ACDDF06077BEEB67F618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370283Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:25.927{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76157CDCE56DC2BFAF3F6AE8E9743687,SHA256=DDDFEFA8AD03256FA391199684525C91B35F2C86DEA9D7274E358D3FD54A2589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370282Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:25.162{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70417888D8D263001F82799157A2F317,SHA256=E72D47FF650F5D0B361EA152D2D256F9159010C05DE6F030E94D689572D53FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323458Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:26.682{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B54D095B2BAF4C88822B312A994232,SHA256=E5855D27528DA2527BA33A6E363BBB5385804B849CF417663D6813C4896B461F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370285Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:23.348{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-39696-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370284Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:26.162{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074EB5A5415D0074F9AEB60C72666DDA,SHA256=865EA8225024B8FCAB86BCD414FB635CEC86144DCE5D438125953AE6E76AEEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323459Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:27.729{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F937FCFE7FCFCC22ACEAE83E9C760A,SHA256=9FC24B291CFAB36DF2B0CE09636E1EE2CE23C02B7AE6525C8C8D2D8AE1C256D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370288Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:25.118{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-46885-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000370287Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:24.228{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370286Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:27.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0C81E697EAE6862568E4E2155FA7D1,SHA256=EEA70753914DD698D99A1E9C76D8178F73B38E45F5D86CE5EBE70EC644502E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323460Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:28.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C23013A142B7484D8C26DA1468AEEC,SHA256=B279998307C895257B990A221A760AE00D0DC07203A3616573DA5AC7A67F349B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370290Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:28.568{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACEC23A88AB3C17F26FA6137DA9DF5F2,SHA256=D24BF33A2BD4D91C6392A90357058194DCAD98CE81AEA22AFF68E5D10E46DF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370289Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:28.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE6DB78BF581592FBF779E1E3723D52,SHA256=EB954B2F1934C109E9A30DC7711C551AD021BBD918B61AA679EC06A7DD2B3C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323463Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:29.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF8C24B655915AAC9528A7CD1229497,SHA256=F78935A123E2BD092288972144364B56A7894C382538DB9231B39D9926D77D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370291Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:29.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E17934BC929EC6A9307B049F0E65B66,SHA256=AE6C4C1BFC4A709ED2FE3CDE1E82F1A35D64AABF04653633B6D3930CF81F3807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323462Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:29.370{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F671F97CF4E1B86EBCC4094C87D8B45C,SHA256=C6EECEB5A310795164789F7F1FE09BDCFBE7E40F84741B0495D390B26E39D7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323461Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:26.839{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49977-false10.0.1.12-8000- 23542300x8000000000000000323465Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:30.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D630EF56AFCC70AB73C7A5916EED4D91,SHA256=43FCD482A9A9F885A747A755AC814F9574C0B9DB039EDD6225A27722B8E332E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370293Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.349{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A451B1FAAC2A5E9B8FD84EF952A3C5,SHA256=52D098C333AB6304C9EE8C71361F1F55B6E1AB1F91973294F4162CBCC9E7D6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370292Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C96CEE2077899C16BA16DDA5CA8F0ED,SHA256=5CD34EF0CAE32740231E98EF889251A837CAC76F59B62FD53855AF3CFAF64456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323464Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:30.213{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323466Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:31.776{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFCDDFD3517541C584AEAEEC602228A,SHA256=95157D590B7AD088F75B99981E547CFC8C3B88EA404EA7BA5F7DA961A49F62AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370298Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.755{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5AA4-619F-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000370297Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.755{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5AC1-619F-0A00-000000000F02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25b8a|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370296Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.755{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5AC1-619F-0A00-000000000F02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000370295Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:27.756{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-59364-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370294Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B611E297E3CA6EC78A943810072F3BD,SHA256=0B72F03677B54F7E83059E097FC11793F8F32971285653F63E24D4745EF1FF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323468Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:32.777{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA43F6C17EC70BC8644C1FE1A4E19A3B,SHA256=3BC7A7561008C84E50E07840B026ED9269E996E684BAF656A3F5A946B261D3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370300Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:32.756{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64AC5DA2AC5390A1FCDB6474A9E51A7A,SHA256=7812096786EFC17FF4AC41569DF81B5F63C4DB2FA203AD0210B65BCBD7386599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370299Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:32.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47178E5AB80B2A0FABCCD213DB06BA8D,SHA256=1A3CA73238F0E391F07D7F7A82ED99AFDD964458766E727F23B8AC92EA6976B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323467Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:29.776{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49978-false10.0.1.12-8089- 23542300x8000000000000000323469Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:33.777{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B9BD9E29929EC7013404E4648C1AA6,SHA256=FBB0A3DBA227AC5AE1A7883FC0EB58185F1B85C65448AD2B4912BFF4CE3B0FB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370304Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.792{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58873-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000370303Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.792{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58873-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000370302Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:30.120{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370301Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:33.177{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E3A7DC9D8B28636C101F8F358BDF12,SHA256=D0FB191F920583FA79A1F7A6BA9DD3998D4A8FC0B5234B0C48F0A4EDEAEA31E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323470Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:34.777{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31844FC2452BAEE1A12E3A6178A3485,SHA256=30DEBD42FA3D8D8E1D59CC3898F1DA188C8498C446542F25D877FDD736B19005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370310Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:31.724{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-10495-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370309Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.412{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6D24FF409AF934973AFFA7CC0CC6F1D5,SHA256=8667BB84EE171EF336ED2ABAA82E0B64743A606418B917C65BE042BB073079E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370308Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.365{27B459FE-5AC5-619F-1600-000000000F02}12885196C:\Windows\System32\svchost.exe{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370307Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.365{27B459FE-5AC5-619F-1600-000000000F02}12885196C:\Windows\System32\svchost.exe{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370306Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.318{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A4BDFB5C13AA86A033A1176865DD081,SHA256=5101755428802A30E1C7B1B218F7406C029B4332104B9B1139DC59131A0906B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370305Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.193{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19D3195FB9BD1F011482A57E912E3C1,SHA256=1B8B76F619F8448D8B922E3ED19892A01B9A0A8EBCB0FA8D1E0F8C2637998647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323472Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:35.839{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2373E26EF5D72525E335FB15BA6BBCBC,SHA256=515C1AABEF0F76D0EF59A0393220ACA8B81EC9C3C13FE820E31CCC5AD7608A73,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000370323Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000370322Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00131948) 13241300x8000000000000000370321Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x540950b1) 13241300x8000000000000000370320Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xb5cdb8b1) 13241300x8000000000000000370319Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x179220b1) 13241300x8000000000000000370318Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000370317Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00131948) 13241300x8000000000000000370316Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x53d71458) 13241300x8000000000000000370315Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xb59b7c58) 13241300x8000000000000000370314Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:03:35.912{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x175fe458) 23542300x8000000000000000370313Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:35.615{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C98480F885D64216D2207E7B2B67748F,SHA256=EC2317AC345332CBD2BD494F0A3EA7D5F8D1058455215287EEFF419FE813AC52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370312Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:33.456{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-16858-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370311Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:35.193{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3E86973DE13A208BC6B0BE4C382E57,SHA256=2B4DBCF952D3245A4753E36A5BA343E14A1BDCAAD07319873A0C72C49360FAC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323471Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:32.731{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49979-false10.0.1.12-8000- 23542300x8000000000000000323473Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:36.855{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5733173C8C09B0D4EEDFC6788E28FAEF,SHA256=92AC54F3199CA1637101D84D9C9965C4D86E082766F37979A9F801A2A3D19A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370324Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:36.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19125ACE74A169AFAFE6E0EF8A0F11A,SHA256=D6A4677DBC5CDA8CD4D3F05BFAFE175D6A2EC7080442028FAF12ABC0B8FEC7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323474Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:37.901{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6B989F8C2A6132A9EDCBFB0DEF40BF,SHA256=8C836F70CD520278723FA8E816971A090D2613DB3083A7A56756D36B52F648FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370326Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:37.474{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C82A528FFE0AF802040A3DAA07006E,SHA256=04444987E7AE7CCEF55A92EAF561F0E56665E6605C2D4F86A610AFB21E40755C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370325Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:37.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28762109A309A91FBFC3A218089D293B,SHA256=B74DD94F37561AEA1A59A3FA6BA3F6AEB898771A2983BFC1828F71903837550B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323475Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:38.917{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295220435756DF0C293CC3814ABA5EED,SHA256=05C04894EEB418C86F45F8BE10ED2111668C168205CDEA7C217035258F24291F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370330Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:38.771{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58A78882256DAF8D1FB70287DDD22987,SHA256=E55ABBCF80A474BF169F6DDA0C1D8A405C442F00809BCD07131B6F35EFC0BB0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370329Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:35.182{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370328Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:34.815{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-24540-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370327Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:38.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896B4E29DF6102893F6623CC391C6783,SHA256=AA5BF12762C6DA66982D089F87ADE03919B3869194B8224ED473E04085D99D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323476Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:39.920{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EBCB26EE5C4EE3C1318B6BBAE3D638,SHA256=1628219D69557F7B0419F45DDFCDFE73A8C5E408A41A9149BAE284D1F70C411C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370332Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:36.605{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-32072-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370331Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:39.240{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D75C4D5B3304E0740116F7C19CA530,SHA256=C2FAB69B7B1AAD9AEB833B4BA9A095AFBA4948D3843A6A6ED2B4D2C1FA33F877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323477Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:40.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67C6091330198BF28B300974605F20E,SHA256=175B047ADB804CE3C41310658AEF0A42FF93B9147301122345F0CB5C573FBE89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370335Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:37.998{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-40339-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370334Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.444{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38F7B8D92CBF172242E525A21574F302,SHA256=1F0DF6BA2CCD65DB1902971C592C8E0645B4CB227654F09D21B88867F9BE75F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370333Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.241{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD9874ACD442725A39B71542CD4257A,SHA256=08E24F93F4E0304BE90608B25BECF4E7F2D8F4552E9378AC30F830B1C6643CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323479Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:41.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9120BFD22BA59B9929372FA5FD551073,SHA256=413E6A1A8C209E743D718E40D3A51EBF797E9C3EA08794BC35DE05E3AF31F7B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370338Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:39.568{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-47394-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370337Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:41.741{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE847F6191F5533F011DE52B517DDA9B,SHA256=CBDA6E47EDF3BE59117F4080983F216F594D0C4B95350A44BE000A9F400AD37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370336Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:41.257{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAB8285BC572494939E3641FD69C404,SHA256=7DB7BE92077AA209DB04814AD306CC28E1F65079D720AEE1073A4F6BFB3A4559,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323478Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:38.778{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49980-false10.0.1.12-8000- 23542300x8000000000000000323480Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:42.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1337E3BB170D30908C1DC1ABFD64E243,SHA256=0921B9B9753EA8D5D3F2DBB70FFDD21254A1776599BAFB6A2E1A3C05F94E48E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370339Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:42.257{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C076E847D6AFD0236111B30FA2A15F8,SHA256=33DA8AFC19A55F3EF2AFB555E815FB92B009C2CE100CECD013C33B7B347D91F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323494Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A2E232D040837CBAB247CE10C7DBA1,SHA256=C442AA508251B36294BDD8770F72A7AE891838C9630FC119F55C957D55FF4A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370343Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.910{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-54176-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 354300x8000000000000000370342Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:40.182{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370341Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:43.351{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4222B586965C4993660A8FC11A987A,SHA256=6E282C74CCFB8BB01281F29E3B63F4E1A3272A5EC0D10E415E0E64F91AE044CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370340Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:43.288{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512A53B7BA5B8B90A9DA50EF0893E458,SHA256=F7E44423D20EE2801E7497A3695062C493F5A34E4BED2C595C83D6D9DBEBDF8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323493Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323492Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323491Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323490Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323489Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323488Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323487Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323486Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323485Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323484Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323483Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323482Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.716{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323481Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.717{99D2EDAA-5F7F-619F-2101-000000001002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323510Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F03A16CDB8FC707E27C6AE0F5C8DAA5,SHA256=6EDAF25AFF5B39996A0E0FBCC62F1ECDB87408D65B988DB6DCCED5310CD4B9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370345Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:44.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFBB57CFFE79D1EF74DCB86180CCFA02,SHA256=6534F7AF2BAF75AB819747A5CC1D1BC83BF9369DA6013C8A6F20C56C2E172E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370344Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:44.288{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331259C074E5E64F15DFA89101EE4F7A,SHA256=F435E9DC90E660786C77B3FB71A2781946E6902CEE782DDA6BE6E3FEBFE8EF9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323509Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323508Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323507Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323506Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323505Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323504Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323503Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323502Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323501Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323500Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323499Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323498Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.872{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323497Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.873{99D2EDAA-5F80-619F-2201-000000001002}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323496Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.732{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D03157FADE008C92A2B61286620AAEBF,SHA256=783146C73E7D86CFCE0A4007CA0374F445718C3115A0D8C578C8E510EA7FB188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323495Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:44.732{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0A3E3CF8779077C129A10484541C27,SHA256=58A68CD6B3B2F99096F3EC52A75DD43D6D5B3723EE8269142AF8B6AEFA5560F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323514Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:45.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72DDF49343D468135F0E851CF283961,SHA256=B487B05076D2C8E656C199FA48E3A26397CA540C0985E3B8845681CD3A0FCB5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370347Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:42.472{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-1870-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370346Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:45.288{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356DFD7C4647C2FB6BF02AC8C534DCA4,SHA256=78B0507BCFE53A33FD3A9CCDF0B3BB3931756B11F9B96C6A21CAD971651D8016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323513Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:45.888{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D03157FADE008C92A2B61286620AAEBF,SHA256=783146C73E7D86CFCE0A4007CA0374F445718C3115A0D8C578C8E510EA7FB188,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323512Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:43.828{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49981-false10.0.1.12-8000- 10341000x8000000000000000323511Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:45.060{99D2EDAA-5F80-619F-2201-000000001002}8321600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323528Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC36487CD5721F9703473CF12D96FBF,SHA256=E904D484BFFF7E9ACF9F719913A64C95C52AFAFC00CDA3E4D5C7FEDFFAF923A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370350Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:43.813{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-8172-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370349Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:46.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE9FE26B67B27BF25FA087ABB2E37B6,SHA256=C6ABB8AD28BC35F5415DE80FAF64BB7707556736CC5DBFCF50B7F48DE037CE81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323527Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323526Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323525Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323524Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323523Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323522Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323521Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323520Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323519Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323518Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323517Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323516Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.044{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323515Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:46.045{99D2EDAA-5F82-619F-2301-000000001002}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370348Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:46.241{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E232D5FD7112A0442A2BE632423767F,SHA256=8AEAFDCF661C8B71964257B3A11924D1F00D2C2151AEFDC3A36F8B709BBC93A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370352Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:47.585{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=346D96C0C5539D68606517B14BDA9CD4,SHA256=FC7D43700B44DE1A18DAFA2F793FC4A84B694B341DF8FC130AD4ECD7C2D31453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370351Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:47.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E41CBED7DCF09FB5F20C136B7B5AD30,SHA256=C40788CD3160BB6338C197BB0D9FB08FE459A5771217B2D9FE5DB92990697082,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323543Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.669{99D2EDAA-5F83-619F-2401-000000001002}11203604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323542Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323541Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323540Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323539Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323538Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323537Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323536Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323535Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323534Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323533Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323532Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323531Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.497{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323530Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.499{99D2EDAA-5F83-619F-2401-000000001002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323529Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:47.044{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7907704E49620FCAF78E9C344EEB5F48,SHA256=A3C0732DF96440D66DA6BD7D8AE0BC647C81AE1A9BA1B83600A739451F63E2CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370355Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:46.089{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370354Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:45.450{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-14899-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000370353Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:48.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F43D4BD051E7545D565EAEFB3B6BAE,SHA256=5A1A36B33D5FF2FDBE74E5CC24B9A3D5B6286E0264BAAA8747906CBFA76E6C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323559Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.779{99D2EDAA-5F84-619F-2501-000000001002}40842612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323558Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323557Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323556Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323555Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323554Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323553Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323552Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323551Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323550Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323549Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323548Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323547Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.622{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323546Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.623{99D2EDAA-5F84-619F-2501-000000001002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323545Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.513{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C556AADE8E7208CC6C89025189F3324,SHA256=C3B683F1D6297AD90780A02D480113D178F443E117AA0E9ADBA1EDB91D0D4592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323544Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:48.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E11309FD688DB9515A52D49FC4438A,SHA256=84B3706F8DBBDA13EB1700E20E99E50A31E53D3CB0638C2C642B917AD9DA543F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370356Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:49.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C72894E2B5FC68A821A7A7BD46842FA,SHA256=3DCF63E3130D126E729603CFC6BD5FE5C1D8C2B5BDE53BF725A9193BCD67DAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323575Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.638{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=140C520D380A54665F5C63FF6C7B4995,SHA256=85789603528C6EEF952BE03C1B514B60FB0A77A326F9E7AC4342350364605D27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323574Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.513{99D2EDAA-5F85-619F-2601-000000001002}28563332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323573Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323572Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323571Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323570Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323569Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323568Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323567Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323566Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323565Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323564Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323563Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323562Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.372{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323561Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.373{99D2EDAA-5F85-619F-2601-000000001002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323560Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B929695B817D6438BE7872CD435A5C,SHA256=9116BEAF156741B53A44F3D33B481EA4ED46EB75255EFED9C75986713C957FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370357Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:50.304{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B8EE372ED609174E3D3904DD730358,SHA256=C2EAADE1378197B5957BA5C0B23903494A8ABF23BFE432F7ABE5B6727BA69022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323589Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323588Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323587Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323586Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323585Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323584Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323583Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323582Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323581Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323580Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323579Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323578Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323577Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.513{99D2EDAA-5F86-619F-2701-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323576Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:50.028{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69F37391B8BDC5F5E950276A8760494,SHA256=B42B622705FB56A92A8DCF7B48BC4C1A59773F778AB17810D1C6D569C18F3021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370358Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:51.320{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568C5F5BB15C7CA2470D2F371EB7206B,SHA256=FA19C069D6500E092793A36009DC57ED9897BE47C23FCAF2617B0EC349FBB6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323591Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:51.512{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C945587EADC9DDE9FC47631E3ED7A5D,SHA256=3384C46559E2C401D0DB08AECC8D42F584482843E411BC46D93D1EFA752FF5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323590Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:51.138{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE436422F221DE946FE469227742CA91,SHA256=FA6CBC8DA4C6EC98316D563CB134489AE44A6705DEA704A818C7EE7ADCBE5083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370361Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.398{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B36C8801A70A353A7D6FA02890CF8E1,SHA256=044E59E09E37D3A849B0C8B3BC59BC2890E32BB3228E5C076D80AE25E344620D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370360Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.398{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=25619E51DC1F4003FBF09D9D25E9FF39,SHA256=B91EA7C68C096ADE192F1E6A3D93DF5CC645BE0B7914238A9D5BB68BEFC95DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370359Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.335{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A2517DE22F76DF97DADA5704367A55,SHA256=3E6A8173C7FE0BC534C0E4932D9A882691C30CA8D1433B02E5C342165B3B1FEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323593Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:49.828{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49982-false10.0.1.12-8000- 23542300x8000000000000000323592Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:52.169{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1C3724585E9A63FC82CB9764FD820C,SHA256=2D643D10467676424C5568E1655120B40B93834996FD1E51F8312CA259815DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370364Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:53.555{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B36C8801A70A353A7D6FA02890CF8E1,SHA256=044E59E09E37D3A849B0C8B3BC59BC2890E32BB3228E5C076D80AE25E344620D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370363Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:53.415{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370362Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:53.368{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8E0A6FFDC5D86940067D01E531F040,SHA256=87010E22A598DC59B961C1323FC212F74EF5A85B4817F7C30F0FED9C456ABD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323594Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:53.184{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AEE4AA405A550B7D7C0748D4518B04,SHA256=376A6A3A63237AE6A52C7B9FCB4417FD54F649E3C50F4C17BE60761EB14C94AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323595Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:54.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09C90241AF740D8DCBAC4A30F114CB5,SHA256=CE9C43F8A2075603D6152FDBAC32B2A658AAF03C2CECE0904DE88AB555984B9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370367Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:52.060{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000370366Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:54.446{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370365Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:54.368{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23464A6EB16F1A5B0E8925930283A8E7,SHA256=BE001567A1060FDCC1A512E28153AD88BE539C6E73432E028EAACB79DE048996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370368Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:55.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C7DD78A24FE93D6E6C809591634E80,SHA256=970BD702E333BEC4356B597C6555D30AF954430B0B84AF15FCDB1E1B691DE2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323596Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:55.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D89E2F6AF0182F661B7E859664CA02,SHA256=4177081E74BB25DE261D3F33A64ED2C56041BDF8393FFA2CAD5AB2C093182FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370369Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:56.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62565544E356903ABD9875EFB10E5E52,SHA256=F8645342FD009853DCDB91C7DEF8036FD17DC0B9D9F37BE3C2B1937AA6FDB8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323597Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:56.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC42DF0C8C66BBC1876917CB6B1FE3A8,SHA256=731D0520233D1E05FAD020919F7A5BF090575C5CCFF5CE93CE81BE083D2DB6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370370Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:57.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F751093C7DA2F1767E6B1B16176B86BD,SHA256=F9A5A30BB57C69512EAFAA1A37454EFA8E8ABB4E2F6C7775A45ADD98CECA7DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323599Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:55.781{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49983-false10.0.1.12-8000- 23542300x8000000000000000323598Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:57.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D17E58B9AE42538D9C298152A13E977,SHA256=457206766167BD2C57F1BCBB28DDA5A72B3FF003C2AD10812676F63019A877E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323600Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:58.231{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA4B3B55D2F9B069FF759FDC9EA5F23,SHA256=5BC58A499EF003EBAD2F3F5DC3EE6A62CA681F4529EAC67744ED574748167B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370371Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:58.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C70018C268871E859B1BC8B5E12CFE,SHA256=826D6675D516F9533C4096FBB4766D7FE29ECB2BBF251771A6B7CDB356239DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323601Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:03:59.231{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6E4C9FB7AE76D924C1B6C4562FAD24,SHA256=7EA6D61C3891C81165E8D92FAE7484E92282C1ED27506F04B07982E8C6B29DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370373Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:57.122{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370372Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:03:59.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3C6FBE3559C603A57A1EFAF1F84194,SHA256=BD97070657704AC361567828829B02631C48F3B075C5315BC87687487718FE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370374Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:00.403{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AD1332F427287C7E2C35621819A518,SHA256=01AA78A020CB4CD401B81424B1764CD9311BA5ACB0B94B1BED09C8CE4834F66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323602Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:00.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31761221806B066BECD2599690174429,SHA256=32FD80D078148228BC0A6E22697D81AE9DEA65CB2AA9EBE07F68B35B4E879D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370375Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:01.434{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F195015518580A3BFA34648B0C6CF2B,SHA256=E773FA7CA41BD2C78DDC4CF65CB44269646CC44393B0E176DF37CE22A4AC2138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323604Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:01.567{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-019MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323603Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:01.298{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC3A6B7F9CB446C59D5A3AA09AC2DC3,SHA256=32F80E99A2C9939B7597C288E56E9F4CF2575D9E208C050E625402305BAAE024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370376Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.450{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6011F189F704363C5B6CA1FC96B3E6DC,SHA256=D7DC4A4142F7DD1782B5F39642787F5B13A49970DC87C340519F502EC629F3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323606Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:02.580{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323605Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:02.329{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBC3519478C7286A166951B340DA459,SHA256=6DDBE066BB160ECCCA595C1077B4A4102E38E37CA13B5C80FA5A4CD40BDCA7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323608Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:03.361{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2670FCD3ADB20058390727955B6567,SHA256=C17128010701C8162B36362A53DEDBA87DA2C17DCB2C548BDD7D794AF74FC6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370377Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:03.559{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BF0A72CD43DDBCEFFDC5957B5C3B6C,SHA256=AF897F9EA42CA86661382FCFE03CF13B90075901E59CD2B865D36FC957C3A816,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323607Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:00.817{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49984-false10.0.1.12-8000- 23542300x8000000000000000323609Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:04.408{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0063BE0E21E44830D3C0291C37EC7DC3,SHA256=678509958D5BF8DFC06B2E347AEFC97C3CCFBAE71FE3FFBC0456B09F9F9611FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370388Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC0D37C5DBFF5089E266FC75929ADEF,SHA256=22F196D26DBC652366021AB6DC3B24BF540B1E369E0B2E37E9027510095F5FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370387Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F942E66594ADEEAE395E0825C9B82C0,SHA256=D3A014D9FB28DD90513569BF1579B78E5F10408B1257C0FD46F3D35517727A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370386Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A2CC0F0583CB9217DC2DFC0BECB1AFA,SHA256=A9B72765AE465A48C28F8E0DB8F281ECA6CF34DECA0F0B27552865053A545B17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370385Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370384Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370383Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370382Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370381Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370380Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370379Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370378Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:04.419{27B459FE-5F94-619F-6501-000000000F02}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370401Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA7753B019D75940561D78AF0E42899,SHA256=3A38E496AF4F7F4595A1AEEEB1E82BEDEBB5B36ABD1CC25EE24B7641746EDB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323610Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:05.454{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62774E1A2709F17A17DB6F784EF95FD1,SHA256=5F4D48096D03B5878F5E616F1F26F986D3D0E6F5AF88CED294A53F41C77584F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370400Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.544{27B459FE-5F95-619F-6601-000000000F02}18805488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370399Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370398Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370397Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370396Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370395Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370394Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370393Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.325{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370392Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.326{27B459FE-5F95-619F-6601-000000000F02}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370391Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.610{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58880-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370390Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.610{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58880-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370389Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:02.172{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000370414Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:06.606{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\583610C9-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_583610C9-0000-0000-0000-100000000000.XML 13241300x8000000000000000370413Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:06.591{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Config SourceDWORD (0x00000001) 13241300x8000000000000000370412Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:06.591{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A6F3BE35-2816-4299-8BAC-44B9E4617F8F.XML 23542300x8000000000000000370411Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.575{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C15ED95FB63931AF02FBD2A283EF14,SHA256=A64716FFFFDEEC466A0EDBC43A7CD7146A15A50B9A9A85BE0552962D5F1B178D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323611Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:06.470{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E105EA09EA2A17C9EB03F187FDC5C6BD,SHA256=711D9D03058564BCB16EFCEC25C4025CA40265813E105EE6F870BD9D7E5ED71D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370410Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370409Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370408Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370407Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370406Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370405Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370404Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370403Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.466{27B459FE-5F96-619F-6701-000000000F02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370402Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:06.403{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F942E66594ADEEAE395E0825C9B82C0,SHA256=D3A014D9FB28DD90513569BF1579B78E5F10408B1257C0FD46F3D35517727A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370416Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:07.606{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C3A7DE9524D44A28EBE812998D968D,SHA256=F0E06744C10F5F9E143833AF91F7FBAAA44AD05EAEA51AE5E5E421FB40E934B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323612Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:07.486{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0560A3C91FD1AE9BCFDF3F6BDFD11D7,SHA256=A898B229A77858CEAAC1B5698A76B90134EF6183955D755E811A91999E485C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370415Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:07.466{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CF8BC5EB1EE32B7C4B9E1F92780ABE,SHA256=D62A5D349A8D77FB9C0EA7283F4107229DCD5331257D6D460E8DCFF43698226D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370432Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.872{27B459FE-5F98-619F-6801-000000000F02}49605376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000370431Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.677{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58883-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370430Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.676{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58883-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 23542300x8000000000000000370429Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.622{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BF069051FC6875C4910F6E26CE6A1F,SHA256=43B5CD27B9BF368C9C41249575AA6785C5201CC90D8924398E637C2B29A165F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323613Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:08.486{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0286B78129C6BDF35E7FC8B4F00438B,SHA256=5847EAD59225CD1CEFD4ABA316C460454B511A3386D17E7ADB1DB35DB1764E69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370428Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370427Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370426Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370425Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370424Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370423Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370422Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.544{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370421Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.545{27B459FE-5F98-619F-6801-000000000F02}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370420Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.643{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58882-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370419Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.643{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58882-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370418Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.615{27B459FE-5AC4-619F-0D00-000000000F02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58881-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 354300x8000000000000000370417Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:05.615{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58881-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 23542300x8000000000000000370443Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9124B3C9B89C7F6743FAFF18656D2A,SHA256=38B400654783A6EF6FEBCE6A8FFE700F4FE5162621D2373D0001F94C10CC807F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323615Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:09.485{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB5A4ED82F4C31D49C7E7480B6A20BD,SHA256=8410AB11ED91C966B37B6949724871AFB6B986E721C2F3F569BE472602C58399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370442Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.591{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2C132C45B000ECBBACFAB5E35C89A22,SHA256=839EBB4556D7F7FBFD20A2C47D99247C9824F7998B64762FC7B56CBE562A16B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370441Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.356{27B459FE-5F99-619F-6901-000000000F02}52164984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370440Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370439Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370438Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370437Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370436Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370435Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370434Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.059{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370433Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:09.060{27B459FE-5F99-619F-6901-000000000F02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000323614Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:06.741{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49985-false10.0.1.12-8000- 23542300x8000000000000000323616Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:10.486{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B81BF0B24C42ABD6596947CD3CCCC01,SHA256=A0154DE8309E012C39FF35ED1BF4E698DA6C0579FB789C8821ACA2B2C3E1E5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370453Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D60F643C65EF1AB326858D495A3706E,SHA256=F677B40F64F31404FF7F1AFFFA7170C462D5E9925500CB87CD74D1754AFB1DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370452Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.294{27B459FE-5F9A-619F-6A01-000000000F02}56964820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370451Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370450Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370449Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370448Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370447Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370446Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370445Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.044{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370444Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:10.046{27B459FE-5F9A-619F-6A01-000000000F02}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323617Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:11.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0B5710B7ACA17CDECB6DC3E0DE9720,SHA256=EF58490E01761DA65E9434E64C2718A18C5414F779C3EF6744027055A8EE362B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370456Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:08.172{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370455Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:11.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C9BF56D94985FA9356C09A4C82C23B,SHA256=2F253DF7332CF119529A1672149312DBF06F554012C1EEC1C5CECB76262BA060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370454Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:11.060{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EB3BB7F15D8F95AEC6170A7CAEE6482,SHA256=0A9C992B06C75E2189D1AD3D567417210FBF6FA18D57B4ECADC115766EBFB34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323618Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:12.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89020611F9684877CFEAAD6E309E6763,SHA256=D823B5EA113112642473022AB7F5602352F8E5705DA84301E762F89735CF2432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370465Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B77AC70B875430889F885EF9D365B95,SHA256=243D19220FF1EC80A6FBEC81935AC08841BB8E190CD9AB198831EAA4788AE123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370464Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370463Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370462Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370461Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370460Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370459Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370458Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.091{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370457Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:12.092{27B459FE-5F9C-619F-6B01-000000000F02}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370467Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:13.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B716EC989CA36ABAF155FD3A912F12B1,SHA256=A333DCE0C90551A3078A6013DD9BC9FEF163E0D0AF1EB402CC78DF359E259DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323619Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:13.563{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A0C619FD45AC116376F314EEB1DE3B,SHA256=D17F265D84A99E308ED0C09A4060CCDBA3CDB4E7008422E94623D94F55BB50A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370466Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:13.091{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30E3A8855ABE184B6A15CC88E49DF9CD,SHA256=04E769400CEF181EF1C6D6AF81301ADEF268C20DBA4B2D01D42853C299B483DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370469Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.685{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370468Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006BEE42624C41AF6BB696948714C2FE,SHA256=045188504057227FAEE35FD342B58C2FF715202B026791EA2368E576921EBC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323620Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:14.579{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7895B875D7BDEF43D5E00FA9C3BACA0,SHA256=282E2D0631BE79DD8C13A1CBCB4B60A289177E97E5C0547EF3620F71780F3B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323622Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:15.626{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDDD503B82B9CB8C1791D6DF5FE7D70,SHA256=C2177B0B539F188BAB4B838CC25FBC705F5725E9E635AE8FB0BBEADFC0B2D724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370471Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:15.685{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65198DA674305BEE5A70BB7FD6139529,SHA256=DB49A1BBF6EBC3A7EA41D02A65EC87F01747855B01E0142F1871ED34B120611B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370470Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:15.278{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5AA4-619F-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000323621Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:12.787{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49986-false10.0.1.12-8000- 23542300x8000000000000000323623Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:16.673{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E3F15995E8575DB63088BFBBCFA25A,SHA256=A14A8E27A7FEB28F62495D9DE824D20FD7A5CC1F349563D3A815D2922EAB9E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370479Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:16.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95054E3AF177D1511494A89D42C3017F,SHA256=27DAF62E7D1947045536241F73EEEE1949E19E909495089DCFE75C1B31C2948B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370478Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.218{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-266.attackrange.local58888-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000370477Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.218{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58888-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000370476Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.207{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58887-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000370475Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.207{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58887-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 23542300x8000000000000000370474Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:16.294{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F397ACBC53661EF2A51E626CEE1BA204,SHA256=F994400CF8B2B0D5618C62C890E10B85FF2389B52A79FEB8D432990E2DE90DB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370473Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.094{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000370472Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:13.703{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000370482Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:17.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CE6E7DE194BFF4DCA67C14F9D8B4EF,SHA256=2106520D76FE86F13F5E7DBA78063C7AC5B76D65709ABA7BD411A2DD9510BF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323624Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:17.688{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BB0C1B7F5D1CC903E7DDEEBDAFFE38,SHA256=D69EE47263599CF89437E184AD17E1F1C1D6534D838064FA23A0A6EF7FA40FCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370481Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.317{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58889-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000370480Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:14.317{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58889-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 23542300x8000000000000000370483Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:18.935{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9E7574E45ED02FCB3EFE46034125B,SHA256=EE72DEEEAEA76D60F718F66FAE89FC6440170C1FDB8FCDE40B86B42085E7AEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323625Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:18.688{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EE1BE15E0010FAF6B3FA4E4FF5707F,SHA256=9D5967C0D26281410FD5B5EA44B26647DCA903EE79DC70E5A4C5BD3E3EEC2807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370484Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:19.960{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0A5866DE151FC94E1BA15A4559E168,SHA256=594FAE72E8614ABCB879E80D783E389F2674764EC4C82D8C8C596BE2D42072E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323626Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:19.697{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D51737131ABC7013FD8326F4024656,SHA256=077698D37A995BBCC69AB496258F606EE85C8A077463C71367B65D759EB18DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370485Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:20.975{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB19D4D279062508FB47FF2D46024B9,SHA256=88F6D3E82998C99C76239F98D5661951255E9EF87728415CB5C271893A454FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323628Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:20.728{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95947D526238F9AECCCD5C33C91254CC,SHA256=13BC2A9FA16C054028B04915D92CE117FE08B4DEFF9434E9B536FE9AB3194E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323627Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:18.584{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49987-false10.0.1.12-8000- 23542300x8000000000000000370487Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:21.977{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD1906FA107A867BC15FA05A17C7C6F,SHA256=6F35FADAD051E3EA83F2F050A7A73536B523D865F496876CEFE87D3906022D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323629Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:21.744{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2A0292D56475A3C02F7068859F59D6,SHA256=B1ACB1A5CE2620EA3CDB4B90DAA08F27A3B6D671ABF7D2B470AB316CB7EADE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370486Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:21.697{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-019MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370490Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:22.991{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729BFE32BF5F7166ADB4BC0163F0A4E7,SHA256=C6C2241F892479932EFF557B7E710F8590BBA2E62371DB64AEB020FAC39CE3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323630Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:22.744{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEFF1CE0522F6443E4664F57CE23727,SHA256=58C282BEC64932F7A10620EFBBC8CB47CAE0CB2C70384B36E15F74DAAE600728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370489Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:22.697{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370488Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:19.291{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323631Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:23.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E9C8EB80EE2DE5EAAEC87084A97066,SHA256=B07B3A91F70F22353D02AB5DC70408AF7EEB43B5AE6327F1A3CC48ED17105AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323632Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:24.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71413CA8F37D858B584388FDC9611160,SHA256=A56FDA138BDBC8BDAAA252F67CA3DFE40A54C646BA340B2EE231025BCA096E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370491Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:23.997{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C9F3D748424995BABB45FEB8F78D1,SHA256=DD898F2CC57ADC161BB1156B25D184FABB5FAD41A8111AFAC4D9BE34AF9F7E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323633Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:25.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EADADF04F0F8C475C0ED0779F3408CE,SHA256=AC3D7EE414A58E6B5DEBA99A1626C6818E5C7CCAB9418167FFA315A5E15CE338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370492Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:25.012{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C0A748CF93A2D1CD7400692B5838CE,SHA256=6F4D04653D35195AD2EACD5B9AF1364F2518B1F3ED342AD4A4E82E6C97BA077F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323635Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:26.790{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFA3E7B156D5656D013EFCD8D1FED7B,SHA256=452F1C731B227BB345E637EDB604950F40448378543465AD9EF85D24C15EFF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370493Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:26.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0461375A8E1F81749CA6EC6F160739,SHA256=93D17725C35CDD34281C5505C9BDAE501EED541AE16F413A83F506A3C34E7351,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323634Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:23.655{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49988-false10.0.1.12-8000- 23542300x8000000000000000323636Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:27.790{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12174B3606D8A14B3E122AA1F31AF33,SHA256=1075599244118ED490B69E846398DF4278EF243753EA4C62103484991E38875D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370497Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:25.109{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370496Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:27.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7948EEE145EEB184E197E7BBF5D0B9EB,SHA256=E92EA7334FC5019F5D68D837ABEB5DAE5749E67E362C570C598A387320F94C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370495Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:27.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=843D623DBD8EC339FA347A079142FFE4,SHA256=F1DC3DDEC04BA25AA54687F9B99BA62454EBEA2905CEA48AA643A85ADE9A1865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370494Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:27.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB162C1335B51025A6A3F4C093046B5,SHA256=CC033E0DB9BFC45C6BB24AD23FF5B8E0B915B857AB78AD9BD030B43C61C07E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323637Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:28.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBEE9848874C360B51E287083F7E882,SHA256=81355977F0EC6DBBAB2917673535706A22D9E1CDDBD43D0AF911BD1040C8C8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370498Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:28.044{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFD43EA6CDE8D9B793684E5D6239E5E,SHA256=1C4B471BED5E8EC50EFDD7236782F6BD3914512ADEAC243E344CB848E8E5C179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323639Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:29.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC546EE6C60E2044C24089C8A61FE132,SHA256=BC4E6C55257BA9C45D0AB3B7F6D94D533D8CF6C9608250B8A4D3048EF0CA60C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370499Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:29.091{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBFD4887E6C0796E2A7C15295F200EE,SHA256=F0145E3A49992029AA77496A535D3205816D8A839ED3A1FF11F94D4FA41CAC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323638Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:29.368{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2015C311EBD9AE938E94FD94B24B04C2,SHA256=AC97DD138CB826E6AEC60FBC881D88406E4DF310F0586D219C1B065BB9C64A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323642Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:30.806{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6187A64C26A47165503EC8B4D2EE7A50,SHA256=FC9915D6711F781559F5AB0404819B45D1B8FE06E563722E5718786FCE34C2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370500Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:30.122{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BA6BEC20C9C420B121F610EFACDE2D,SHA256=F4BA4632104064D6C01520C0309B5BBC39582915F26E17F058114DC3F8D2C369,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323641Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:28.780{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49989-false10.0.1.12-8000- 23542300x8000000000000000323640Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:30.228{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323644Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:31.821{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DF140A3055EEA704A8D59B1B7CB0F2,SHA256=B2F6B410D2251D8D62C382166E4C22F58F6623AD86C98BB61879DB591D08921A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370501Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:31.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BD7797EAA78187F3833D805025B3DA,SHA256=0C29A48DE2F4E54A9C0681EE3058AAA57C00872C0E0CD13C44003E31FEB55B85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323643Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:29.796{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49990-false10.0.1.12-8089- 23542300x8000000000000000323645Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:32.837{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C68345165858E2714097C4759BB83AE,SHA256=09313E4EE0887F34C735ED94E39B3CE094B968707A561EA643EF445CC8A53054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370502Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A36AA074EE6E495AC5EB7457DA4181,SHA256=0506AFAA56AF12F3775759A7E89E1383E622278BB5B7126BD637E52E48713136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323646Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:33.837{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E375B2B4207DA44B6131E6F6379AFF,SHA256=A797DF3447F22DEAB7DB733DAE0B5D3C5ED993B40C6F8D88180AF3D6222B2099,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370504Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:30.265{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370503Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:33.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A69EA8AEC657F6D8A38ACA591A0689,SHA256=13CBC6E01DC42C868BE73A385373CA81A48B4A0918E53EB68AEECCEB5E9FE019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323647Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:34.837{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE6480095556EA58EBEADB00CF9DFE3,SHA256=A69D2F4EC9FF1CE87941957687A4277C81E2C9F131CA096A80A3D53E3ADD9FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370506Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:34.419{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=77EC5FEA1151FBA567AC88042A0F948C,SHA256=929FBF918B10B08AA9B835082859B01D25FB94B85D67F2D7651A8B3227E3CF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370505Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:34.169{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1453CA6810D7343E4804CB6D9EC7B210,SHA256=420961BCF9AF20B64CC9F71A2F292D0699A7276225C380EFA3B5A33B160C7A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323649Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:35.853{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7001C2B2FF61C6D70CD5D40E048C9CFE,SHA256=F3B4FE0521BD268729E00CAF41DC221B7517044103D897FFA9EBA5144DA9B3D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370512Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.945{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53191-false10.0.1.14win-dc-266.attackrange.local53domain 354300x8000000000000000370511Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.945{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.14win-dc-266.attackrange.local53191- 354300x8000000000000000370510Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.945{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c870:f0d9:7a6:ffff-53191-truea00:10e:0:0:0:0:0:0win-dc-266.attackrange.local53domain 354300x8000000000000000370509Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.944{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55010- 354300x8000000000000000370508Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:32.944{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55010-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domain 23542300x8000000000000000370507Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:35.169{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3459125E751640209D137C34605356D,SHA256=6D670C7D39C1423F55A3C9F47CD292DB3E4E64D9ED594F5E6097370DAC952EE1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323648Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:35.478{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xd99230fe) 23542300x8000000000000000323651Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:36.852{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD95F497E7DCEE45BFD62BB0A5A011B,SHA256=074F8502BBADC2C2C64A897291CB99D49B75010D346CC560AA9758B8F9969553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370513Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:36.185{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A031CD4144580CE397337984368455C,SHA256=F871C1FA4F9355E7DAF16FE5125C2853B9EAA8BC1A4A5C74BC42A725DDEEDFE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323650Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:34.749{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49991-false10.0.1.12-8000- 23542300x8000000000000000323652Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:37.868{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD8C4E1E170136296B319114A860BBD,SHA256=84CDD9708E947DE284F7824C82DF165CBAB2893E5967FDFB03BAC95907505F25,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000370515Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:04:37.263{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xdaa2a445) 23542300x8000000000000000370514Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:37.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFE23C46CEA8BBC1688EC15F32C4883,SHA256=F5C9CA31034D7BDB3FC638E011081AFB4E9C1695553E1C0112943A3ABA19A363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323653Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:38.868{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520F5115FBEB5569F1AC7A374036254E,SHA256=880A40A45092D542190FB108DE89B61A0572AE0401E66D7DD326CDCAA0841C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370517Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:35.281{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370516Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:38.232{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36214FB790DDE10D511B82B6FC1F5099,SHA256=4C5A9D96193734C5B797A57A263EC1658F7B415CAC44DB6A98446944CDEA6F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323654Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:39.873{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17222AC8AE398192EAF3BAE8A9748456,SHA256=AF64C2CCC0E20A8D96BF35DA79A1A6FF1F545612714E459DC3D23F92E8640AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370518Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:39.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934ED92CC7CD4B29ECD8A954BFBCF169,SHA256=474DE6CA75042FACAAF86A2E37DB94A3FB2D4FFD1199FEE84A24303F0BD068A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323665Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:40.889{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E459043EEED077594E5A78E836461B,SHA256=76CC54FCA440A171FBC053FDB681F5E1D3A9259819EAA2B9A0D7603E0D439D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370519Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:40.262{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2D1C55097D57436DC713248FADC734,SHA256=E2E5F34A84340C9C84E24B2DCDD454FDED44B03697C0A2E1A7BDE4C3B3D563EF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323664Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000323663Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00141d0c) 13241300x8000000000000000323662Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x7ab4f041) 13241300x8000000000000000323661Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xdc795841) 13241300x8000000000000000323660Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x3e3dc041) 13241300x8000000000000000323659Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000323658Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00141d0c) 13241300x8000000000000000323657Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1db-0x7ab4f041) 13241300x8000000000000000323656Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e3-0xdc795841) 13241300x8000000000000000323655Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:40.857{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0x3e3dc041) 23542300x8000000000000000323666Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:41.889{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB307669CE1CAA092239D8C2F0B5D3EA,SHA256=1C3B745DD8CE794E48DA0C1CA0F48493904E1063FC1ED7ECC6A85DAC5693A6B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370554Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370553Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370552Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370551Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370550Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370549Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370548Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370547Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370546Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370545Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370544Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370543Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370542Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370541Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370540Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370539Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370538Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370537Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370536Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370535Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370534Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370533Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370532Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370531Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370530Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370529Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370528Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370527Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370526Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370525Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370524Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370523Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370522Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370521Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.949{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370520Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.262{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1F2FBB1D0BA3B36910CB51CD41880D,SHA256=146C15668D3CE01A5C8021FEECC23E0C050BA8BE6F484750E194CC6D7155613A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323668Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:42.888{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC91A6FDE790BD066FA4F52E224B855,SHA256=BA4AB64ACD9E397A6E4005378268E6DCB899E76E97ED96AAA92203FB22CEA1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370555Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:42.699{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0210A7C2074020523F7B796E38E593,SHA256=50B854319296347659D6B27386D7EE1BE66EBFE8DE5BA0AEA33BFF38306A91BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323667Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:39.832{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49992-false10.0.1.12-8000- 23542300x8000000000000000323682Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.904{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57704E293C5248B3FA252DF76758AE8E,SHA256=FD89372DEA221998DC5708AB271E8D65FDA60E91CA243FEF455BEDEE52B17B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370557Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:43.715{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B938CE329302FF45131DD3652948FB2,SHA256=0BEFB9691905915CE9D96615B91FB69BDB044D52B4F4CB9E2350E593E383EE4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323681Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323680Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323679Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323678Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323677Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323676Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323675Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323674Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323673Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323672Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323671Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323670Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.732{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323669Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:43.733{99D2EDAA-5FBB-619F-2801-000000001002}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370556Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:41.093{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323698Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8567A85BA955648537BD11CABE875FA3,SHA256=F6A4561E982BC6C29D1B9F61F827692DE46698B7C671B69A50A0F78ED33C1C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323697Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8301360E4C63C1C4AFACCBE4236DD7,SHA256=80A97959D00EAB42929FDF2D21567B332094C7DB2EFDA99F8C110D7817B80E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323696Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E306BE2AE89FBECE74902DCCCB5DA9D,SHA256=6D07E6921C906EA2674B04B49A2239540E34384546B3A472D5941D4B63F52F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370558Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:44.715{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE17E776EA0B49AF9B7511470BCF790,SHA256=ABEFC4543EAE82FF41409006635714DFDCB28F629DA5D9F13193CEF48C4EBE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323695Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323694Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323693Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323692Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323691Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323690Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323689Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323688Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323687Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323686Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323685Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323684Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.873{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323683Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:44.874{99D2EDAA-5FBC-619F-2901-000000001002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323700Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:45.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F938D45FD310A3B336DE6706EC51C8F6,SHA256=2E6F7C82D3EFD3DBEDE6ED6E75623D14EC9998F2B571E03AAAD66469145C6A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370559Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:45.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3EEC808A992B06648289FD802F7F75,SHA256=709BA971007E27EB21C0A10D6BDF2523EFAA36B15111B9DC0904092E2173B354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323699Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:45.045{99D2EDAA-5FBC-619F-2901-000000001002}1916656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323714Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3FA4DE09CC5F9FA4A8982079AA714F,SHA256=5A708B238F64B41106ACF0F1683DA9F14C386F4DE803EA2A857E3E6BEB178736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370560Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:46.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99FE54F40D18F23214497A0F134A6D6,SHA256=5AE445F378013388BDB9A48B5B79CC84AE995214DC12904856BD2AEDEC61468D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323713Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323712Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323711Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323710Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323709Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323708Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323707Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323706Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323705Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323704Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323703Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323702Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323701Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:46.045{99D2EDAA-5FBE-619F-2A01-000000001002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370561Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:47.747{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD427D4A16AD85D84DFD64E98EC09190,SHA256=86E266374905DEBD5A8134828B395677E656D2933A54AF6EEFAE158C49B5A043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323731Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD000675C0D711E4EABB21C9BB20E1B,SHA256=5E5C7D89ACFDDBDCC4E2ABBBA949D5E3A9CFFD18F03FC83A2E2ABE965BC8D4CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323730Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:45.629{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49993-false10.0.1.12-8000- 10341000x8000000000000000323729Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.638{99D2EDAA-5FBF-619F-2B01-000000001002}10481640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323728Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323727Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323726Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323725Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323724Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323723Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323722Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323721Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323720Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323719Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323718Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323717Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323716Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.498{99D2EDAA-5FBF-619F-2B01-000000001002}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323715Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:47.060{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8567A85BA955648537BD11CABE875FA3,SHA256=F6A4561E982BC6C29D1B9F61F827692DE46698B7C671B69A50A0F78ED33C1C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370563Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:48.762{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA27226D2CAC1E895978372DCF142A75,SHA256=CCC77749E18756FE9E5E8B1F1100C05CE07E6E32EA3B34707D2CE692131A7616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323747Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D339872D9F77FFB45840E07A92E1104B,SHA256=3BF840581898C2615738AF5BF4735D4E7FADCB017B8FFB1D509CE45D947FB989,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370562Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:46.186{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000323746Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.779{99D2EDAA-5FC0-619F-2C01-000000001002}12841088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323745Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.718{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9715890EF57420ABE060E8D4500EFAC6,SHA256=16B061886DA78C4D0C789CCDC3CE268324BBC3CF3554C46EF7485EC91E850251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323744Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323743Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323742Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323741Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323740Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323739Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323738Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323737Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323736Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323735Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323734Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323733Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323732Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:48.623{99D2EDAA-5FC0-619F-2C01-000000001002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323762Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E96C08E422BFA32B049DB2F6EACDF7A,SHA256=84AD3DF5D65147F223FB63B3F50518EAD56FBF8AE714F2234DC4A7D960BA9170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370564Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:49.793{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A2A90F03691674A92C6640A73DC511,SHA256=962E4539ACCC1959F6A38EF5BC502EE51058E0565B7BF32A216E5351D8095E20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323761Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.654{99D2EDAA-5FC1-619F-2D01-000000001002}21562232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323760Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323759Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323758Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323757Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323756Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323755Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323754Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323753Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323752Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323751Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323750Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323749Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323748Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:49.373{99D2EDAA-5FC1-619F-2D01-000000001002}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323777Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A028745C6E4CB12F71CD7BF9502CDE,SHA256=A246CFF64A63B97B5F7BC9A7862E3E5F463E18BAF461975215C1009FE73703FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370567Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:50.872{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370566Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:50.872{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370565Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:50.793{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FAB448291EA0CB9A8E50DB56B77121,SHA256=C14FCC6E93E939C96DD15C1ADAB2F19A7640C944BD3B149B0AE2D8E4EBCA0C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323776Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323775Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323774Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323773Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323772Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323771Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323770Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323769Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323768Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323767Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323766Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323765Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.513{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323764Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.514{99D2EDAA-5FC2-619F-2E01-000000001002}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323763Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.466{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEBB5D8621F51C3EA737F51C4295865B,SHA256=A79922D819C615EA7BF5C77A3DEDD3278EAF4E1C566BDFD9CF0ED88B7FDA836B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323779Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:51.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940F539AA132D31114204DEC47526B51,SHA256=687BDFF9D8CE06F2CADA32C40EC9E039FEBBBB9E5BD8B9A9FC5D2468CAE201B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370568Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:51.794{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC3919A0D5F32D77202AAE9565C6934,SHA256=460D3D194FC1411CB370BB72FD08B2B7CEF996EC31CB4ED230CE8FAC91C723E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323778Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:51.638{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53900BE33984D89057B20DB8DBEF0841,SHA256=35796E4A9E38CE5600A3CBFA3DCA01BF6CCB5A549B6876DF71F66CFF390C4C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323782Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:50.770{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49994-false10.0.1.12-8000- 23542300x8000000000000000323781Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:52.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120E77F27CBFDC1383F99D25CE5A0F95,SHA256=BF46AA49F878C192F065D0F0B278E1F604D38781B159334AF673DBDDEE043146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370571Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:52.809{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49545D75CB03AE0A5D7315F737095D20,SHA256=2BD3C1B199E9C650DE73DBD0ACA375E905D74C51D62207E618EDAF01210E21F2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323780Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:04:52.263{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xe3937d15) 10341000x8000000000000000370570Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:52.356{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370569Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:52.356{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000323783Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:53.951{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263A45DBA9774E8F653C253B6CF5FA8C,SHA256=4D7F2F2145DEA6C1EA630EA43159631FFED2D2CAD498789E40FF4357956883DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370573Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:53.825{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BF369FD93340E840648541B4BDE8BB,SHA256=9E095566CE479E1719CAA56FFE47AF5495C005CAB743A7ADE99898BD8D24164E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370572Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:51.233{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000323784Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:54.982{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C9C8F8756017BD4C9CC3D2B8F54103,SHA256=C7BC3D1E77117ABDBB509F7062CCC28E90DE0C7758FA5FA86267063DDF1B0473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370574Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:54.825{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6509E1356CBE5EEAD3840F54D541C84,SHA256=4B626850F5165E3E084B4C3D1366B41A23B3E4B65471816A6D0EE8C36F7C18DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370575Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:55.841{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D977216B5AE8A3BCB183D79C7D90A6EB,SHA256=B12A3C89081595C9AC0078D404BE8F72F07CFEF4405A025544287460C7449A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370576Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:56.841{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2370E23EFAE9F306A4F36B28CE332A8E,SHA256=57F35B1EEE909759CF3EB62C4441444B55488053903E6E54B3645731206EBE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323785Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:55.997{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7734AB3FD879E424C1EA49E21E8DA733,SHA256=5CDCA1F4963F9965B6E720205D0216D4283720FCC557EBBAA13FE0F00AC62EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370577Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:57.872{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4884E9CA72390EE22298815C6B2E925B,SHA256=D7EE21E0031B88E28FEDFBDD2D40F493D2ED9D4CBFF13A0E446607E12F43B01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323786Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:57.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3B2B4F5815A2A7DE320D74BFB8E27E,SHA256=50FF578C4626BB364AF77AEAC8659C12979BD98BEEAA311DF48AAC37D91C2140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370579Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:58.887{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78C4586002CF76C6DF33E7239EE511A,SHA256=2FC783F0C80CF10582E02F1503704B50A0B4B33929806E0ADE0E616E7D0F77A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323787Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:58.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18490A45876346B6698D58C3F4B691E1,SHA256=A4797A576C5F02B7155BFF74D1A8DE57359EBA257D5A5001818FC585EF912845,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370578Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:56.265{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370580Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:04:59.889{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E391DEE616A0F59811A55485A1968,SHA256=321B61956CB494EAC09A52F129F47C820D977D46967C7DF049C76AB724071C34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323789Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:56.692{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49995-false10.0.1.12-8000- 23542300x8000000000000000323788Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:04:59.013{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2C7EA8A1C74AA278247EF5429787D5,SHA256=779BD7CFF2B383B329BCE38CB12E76248BFFD5CFB7D8D174058429D7E780E5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370581Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:00.904{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A0A1D6DD6D28DD486F49422455DAC1,SHA256=9E9689E8A00C2403F181AD301572B9A391590948B4D2FAF3973C1585C2D57FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323790Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:00.045{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B69C25C0D067782493C5D8DA8FB30A,SHA256=ED9CE5E0253FD0DA3A7D448A81C1DBD6F140B041F214D7A3C4B44610E76A7697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370582Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:01.904{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7CE14C776E94E54F343014EE83F7D5,SHA256=514E5B2A05506B5F4F3477875EBEDD7373EA2034A59908931DE3613D33EC1314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323791Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:01.046{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFF8A96E131BE46345EAC78DD38CC44,SHA256=CC6D23B71007AAF1342FFB440FBC10DC5C6C031AD9721D1AE41DBD7FB15C04A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370583Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.936{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97B331E69039EF284730EAB8863552,SHA256=9B354EE7FE2F4047F3C8C895D77A02174528CE3E6759BEA054195F0293B52B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323792Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:02.061{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDFAFA01F0AD296926D33371325F372,SHA256=486E0C8C5A22F4C4A7369C354EF481C1A1AA4237543FC8839E6131C87005150D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323794Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:03.097{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-020MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323793Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:03.078{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656F9FE86AAF0BE951E04DFDED366046,SHA256=BAB87FD8B5E761EEB5F5256DE66004C101AA9267354C5557CB4FDC1D6573E7D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323797Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:01.802{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49996-false10.0.1.12-8000- 23542300x8000000000000000323796Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:04.098{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF8CDAAA7CA8FFBE58AD347AD803C9C,SHA256=B29C26146DD9523C395C6544B175A8115AF46F046A51707FB9DE0A1C59E081FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323795Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:04.095{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370595Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.203{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370594Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.624{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBE9D90D354DD0A61F154908F60CFB4,SHA256=E2FB5BC84C3BF1D3AAFFA348CC473E498C37BB619952AD4D3E3BA30AB0A7ED3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370593Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.624{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7948EEE145EEB184E197E7BBF5D0B9EB,SHA256=E92EA7334FC5019F5D68D837ABEB5DAE5749E67E362C570C598A387320F94C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370592Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370591Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370590Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370589Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370588Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370587Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370586Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.420{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370585Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.421{27B459FE-5FD0-619F-6C01-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370584Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:04.170{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D959E26E2D1844ED0704C7B68EEE4B,SHA256=3C8508324B17DAB968C217EFD579BD046679277E3DAC3DE7460C4CB4FAD91A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323798Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:05.111{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089C6568FB60FE2195BE875A8D64C5F8,SHA256=8E0B924D9957DFEEDE997F6696EDC7FB626F5C49B82A45F1D03B6F427FEA4382,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370607Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.626{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58899-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370606Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:02.626{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58899-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 10341000x8000000000000000370605Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.514{27B459FE-5FD1-619F-6D01-000000000F02}53885608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370604Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370603Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370602Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370601Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370600Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370599Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370598Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.264{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370597Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.265{27B459FE-5FD1-619F-6D01-000000000F02}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370596Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:05.186{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E730EB8D179F3A0382DCE51F13775CF7,SHA256=8501407C43BDDB690588864B97D512374013C9FDE2C722AB453991377E34673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323799Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:06.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3294F52EA629E18C438A1597CBBC99DF,SHA256=435EBD21180E331D07FA4FE2DE0DF62B3CED783372086A052AACC95D5A214A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370617Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370616Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370615Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370614Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370613Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370612Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370611Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.405{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370610Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.406{27B459FE-5FD2-619F-6E01-000000000F02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370609Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.280{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBE9D90D354DD0A61F154908F60CFB4,SHA256=E2FB5BC84C3BF1D3AAFFA348CC473E498C37BB619952AD4D3E3BA30AB0A7ED3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370608Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:06.186{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA108BF43A2C27E51845EF0B2E4ABD04,SHA256=FA4E7F891A5E2C3FCF4093B27CEF55CC416C2C27EC539345DBC40009B464E7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370619Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:07.405{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB5BA2149820340D8AA3522EC31394E2,SHA256=C0A8D4E4E560F9592D5A0C89B5DAA8301E01B6A0E99952C5A2E3A54CA328482F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370618Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:07.217{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953CDDC37F8B74A2BE33186BADC0C84B,SHA256=EA30127F77B34905A7DBEECE7F2EF3AFE730C5182A36FBB7962A0D47788008C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323800Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:07.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCDB819F71F4B0A69CFBB2CED641553,SHA256=4860E366B3C10727F338694B9D22754AD75D99A3BE5F49993EC09FC03E08D6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323801Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:08.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D83BE15532951D2F9E06FF80E874F5F,SHA256=1E346E72734A991841810D3B9455C439793F8457AD6C7A2F911AE5ABB2981104,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370629Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.764{27B459FE-5FD4-619F-6F01-000000000F02}58523172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370628Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370627Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370626Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370625Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370624Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370623Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370622Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.545{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370621Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.546{27B459FE-5FD4-619F-6F01-000000000F02}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370620Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.217{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F49FF34E8C51FE4C77030B1FCA5691,SHA256=E2DB396AF34572B1C6F6CC0330EAAA7C0B301D8FF6AFD9BE9B8B48B8EA3946F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323803Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:06.805{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49997-false10.0.1.12-8000- 23542300x8000000000000000323802Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:09.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7D35CBE7EE707906D21A8509CC5D22,SHA256=D8AEAB62E8E06820D2A2CDC0B1F573769F2E59CB66128C332EB884FB2E204D79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370648Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370647Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370646Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370645Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370644Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370643Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370642Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.967{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370641Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.968{27B459FE-5FD5-619F-7101-000000000F02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370640Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.733{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0965C47E20E1E3D259EDCE8C65BA30,SHA256=45451C746CA89578D52F7742BBBAC7911596557809A2C135BDC1193AA2F20AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370639Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.218{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38BC093050F7EAB1C83BF08C961F4F7,SHA256=A035E50FDA17CE029B92BF4C2F065770562CD2CEE7622687CD8E4E8EF0BA9003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370638Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.202{27B459FE-5FD5-619F-7001-000000000F02}48562020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370637Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370636Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370635Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370634Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370633Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370632Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370631Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.045{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370630Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:09.046{27B459FE-5FD5-619F-7001-000000000F02}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370650Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:10.248{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A33E05C9B922BAEDD5229B0E32EA47,SHA256=F7DE2E32EC378B76B664A8C3D30E2408CB9CA00EA380D36961918123FFFF9701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323804Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:10.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0D41949EF610B4F2AEF7EAE1F87DAD,SHA256=9C9CF86B9BBDB16C5BC96D599EA98DDC05CE47CE8E3C913940ECD225B444F3EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370649Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:10.170{27B459FE-5FD5-619F-7101-000000000F02}57441120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370653Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:11.264{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BB9E0FC622C9921F0D6215DCF060CD,SHA256=322E3C606C65A5C8CA57ACFA9E17791391B5CC7EB30D74F75012D89D55A16AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323805Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:11.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB285710C84A136CF438565DE563786A,SHA256=7C559AE9E36945F73C2A02C40546423CE34BAFBA95830D892E32C6E7B2937C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370652Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:11.014{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=294ABF3C7B1757C0BB8B037382313BB1,SHA256=FE28280FC321DF473CB6E901B5C27D08BFA9CF791D80AEB898BF6320AFAB5187,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370651Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:08.110{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370662Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.280{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6B6E5AB0945D9D8C7F41BFA42C0D01,SHA256=93C3562BDF9C907B60446D62804F9D89D83B19B9B8145A90644EA1F082E1EF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323806Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:12.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AA96D3F49D9CD3242AA26A4F78392B,SHA256=A9E51C6194ECDE45D6D917E14DB1758FEFC8C085EF167704BF1BCB71ECF9BEC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370661Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370660Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370659Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370658Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370657Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370656Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370655Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.092{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370654Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:12.093{27B459FE-5FD8-619F-7201-000000000F02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370664Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.514{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2A1A9A7FEB2337A9BB0FF0DB20F1B3,SHA256=F7D62F0886EB39FCCC45C83AAE4CA406231447B2DB92FD0C3EB749B2B4703CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323807Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:13.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996A155E17C8C38CF9A8452274FA15AD,SHA256=7367899106332E957C811573EA522AF470C62022F5CC632518939D12C98B1274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370663Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.327{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=954D5F30E3F22977568A427D56AA9B5E,SHA256=D1FB99E29B8CA8CCED36C50D1F1CB4DEEBE53DF3C609D5E7FBD9C30D173B455C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370666Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:14.702{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370665Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:14.514{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB37FFDEE5DB8255E6D2AF33E52EDBA,SHA256=6A4405A18B76E6CCA13D4799AB0B511A006D4DB204BE0E31C5FF4F32ABCCB7DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323809Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:11.836{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49998-false10.0.1.12-8000- 23542300x8000000000000000323808Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:14.126{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438F8E0DFED53C10BD5C1D4CE5B30AC0,SHA256=1BFCDD65864C82C2538A3AFA7795B91E61B377FC9EF4917A8C7E4502D5596F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370667Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:15.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D8F407A95251FBDA7151A59A6B89B7,SHA256=7FDEAEAA573C0CF30306EDE51A13D8DAE2F8DDC450385CADA166131952DB9D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323810Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:15.142{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD904316F8ED464F836026A37EBF7B8A,SHA256=04DF8510A84B59648D5EE03059CDA68936AE34914528170AC0F2117A6FB8A764,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370670Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.720{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000370669Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:13.141{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370668Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:16.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F6C0E32C2F2F05988FC4B55E106A1B,SHA256=6C2F503B4887AE463C9A563FB5645B639472FD58983A49480CDED2DF4017824C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323811Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:16.142{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C563DADB8B1819C51B4F38BCE471BA46,SHA256=40AE99D3D6B21BCBEA17FD407E72F0D18C49CE9BFD5A0F99A660CCCDAB5F959A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370671Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:17.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473E5992886524AB60C8E18D4D16A792,SHA256=13B469CCCDD6F57E9E90E3F30A290C8865BCEC5BC253E25BF7BBDE0028CA7BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323812Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:17.142{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19E4017A0F9FE0EDD1ECC6B04BD2B63,SHA256=5DA524182D783643DD77F1F5E2B5753188AE62741F14650C4D012774C07F8811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370672Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:18.561{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8231622C01FA5A926E6B7D72419B3E24,SHA256=0478FFC4AA7D5E017FCAFCD196DE845FAAE0C0811652D73FE949259A44175BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323813Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:18.157{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488C9898C7FC6FEE06DBF4D32FD5C7CB,SHA256=706C8438045A41F15A81AA5B70DA419329718435DB25D2E5C0EBE6D035B1300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370673Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:19.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CA2C603B005C8626BEBA105FAB06B1,SHA256=ED74A5847959A21C350240D8BAF7A361E065D03A808A9809FF43CB2BD189C3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323814Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:19.157{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FD644B0ACBD3B64487BD20468B9115,SHA256=DCA4396EC2CE04B53C48D355C48870FF07E35F6CC2BFF48EC4D1F4B95585C730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370674Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:20.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683B4C40B9014EAD12F2E6A2307D5D10,SHA256=49994A7DB55B7657A0993D222C226CFCC0C4415BC6D47DFCAC21CCE589FCE11C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323816Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:17.602{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local49999-false10.0.1.12-8000- 23542300x8000000000000000323815Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:20.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35CF9C472447A88A0124C18638F6DF2,SHA256=084A0429743D540D10B56FDB7E696D3AC43A93F9AE45923820DBEF475D8C2D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370676Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:21.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134D88D9ECFC0DD29A87BC2F686FDF26,SHA256=0DE730C7B30B0618262FF6699E7E4D54AAB95F07497A28263FC34870939881C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323817Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:21.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C8EE020FF1DFA6AB88C260737B3C7A,SHA256=4C962187815F6369AC5D6F1DEADFD480950E6241F703CDE9B2F8787027479A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370675Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:18.282{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370677Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:22.596{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBC90578E624F81C6403CD66C409E1E,SHA256=E7BAB0F2C729CD41033A25183722E2B4F701D0A85E1C779F865FAE8FB936A609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323818Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:22.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B6FB800B9C10EA47221037B9D1517B,SHA256=D34E38925714010B106CDB4B65B1455EA57AB4D38329D27CBC6A31279DB7E688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370679Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:23.598{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92527556AF9F6AC8858FC3C50DA01CE0,SHA256=D29EBD27F9362DB523061E9EE926B88AB03B4394B2A5AC3FFD7C35BC363B3020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323819Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:23.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13570E772EB85983CA36F4805294F996,SHA256=9FD8DFA295BFBDD54257938DEDC28A8BA9C13026E1D9CF6C3E089B6DAC5C5AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370678Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:23.225{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-020MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370681Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:24.675{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EF0F9FA012FAAF70F28C4593AB760E,SHA256=9F2BD6792A2BA49330C2966D6DF771705201C21E12EB54BA448EB77FEB9DEDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323821Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:22.838{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50000-false10.0.1.12-8000- 23542300x8000000000000000323820Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:24.174{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74B644265243276427EC80F47FB22A0,SHA256=7438108A801159FA98733CFDACC8819407EA035622A02D182D13EF9E0F41DD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370680Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:24.224{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370682Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:25.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A809BC675353E16F442FAC5270F298A,SHA256=2AC382D395AFF6C3A1E9BEDA6E3C060C4A1118F42043B9F3AFA25D4EF667ACB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323822Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:25.174{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F046677E6E233F55D9C657695F2D95,SHA256=FD6623FD8AA86B2C9735FABA5EBE560F0CBE60702E075C540F316359E3A43DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370683Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:26.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CA8DAA5305AA9991738989C9F855B9,SHA256=693F3BB4F1D8C72F2AF64C14C06625E34AA7F0094ED58E56DABCD785D98E87EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323823Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:26.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590942A481A1277DBF3B777610628260,SHA256=04A333B47BF31F48F35DEC880F86483C4C84410DA1837DCF278BAEF9CC1513F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370685Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:27.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15771944C09144737E8D937174BBBCD7,SHA256=306736BD4B0CD5908CC0E82BE1CC95DFD45B10843A195DD63DD0AF160C379C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323824Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:27.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063106CE81760BA55705DF5C30BCB27D,SHA256=EDAA4ECCE8A8CCDFD17697DD432F85BE4F19B84A359416EA6177868EC74CD0A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370684Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:24.133{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370686Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:28.679{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6E2FB92B30B5E8490D326CB438F066,SHA256=268EF36CF51B68DCF61BC22BEE613D6078EBA35FE3E41F8191FEABB949B4F070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323825Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:28.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A91F4045F3643C8FBC6FD3CCAF3736,SHA256=54FFC8C90CCA2894BD3D4AF8EB19489473A3FFD35E282FD35FFF58DEDF6B2750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370687Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:29.695{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAF212797B1CDD512A39CEA053EE1F7,SHA256=D672B148C121F065749D27757ABF27B0EEB35035BE0324EDCC8D590417AD73C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323827Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:29.377{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D9BD9B7A541D75CF5259029B96FF45D0,SHA256=2BFF548904882CDB64E4A05244D902FD905C77BE09D316885D6F965F5A33C467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323826Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:29.189{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D44A9F753107E152A404B21AAF9A12,SHA256=949D27EFB61A8E5C40B6679D0486DB00BAFC3FB1973299B711B4A6C150E8FDFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370688Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:30.710{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F002B4ED78D70DA2D4D9B2FE430A5E3,SHA256=4CE36638F3F7E384340825CD972046C13FC62995A8B6815C2F149EE12720CB01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323830Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:28.650{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50001-false10.0.1.12-8000- 23542300x8000000000000000323829Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:30.252{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323828Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:30.205{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44178BEEB7B7D6D3348EE510B7C5B2A,SHA256=61A052A49518BF3CD083709A59876FD0C35EA118B6B220650AD91237E70ED5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370689Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:31.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817E2E745AA9FB4C4A79CA22A4AD3C5F,SHA256=C14F124DD19B48D835234A45CB74C4399292688067D6E9D84E3D86B29CD52934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323832Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:29.822{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50002-false10.0.1.12-8089- 23542300x8000000000000000323831Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:31.236{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEE5BC4A1F14128679F7E4F2A2089F6,SHA256=D85131890D2A7A20EE201B70480C3593BBA17A7639304DC1CD95A754E8BD5828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370691Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:32.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E57D5051BCA58B89C30C302F0D7C278,SHA256=7C3F876F3517C3B6A3EB14C95BABAD41AD544BE39820526ABFAD94D5571D24C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323836Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.236{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF888C632EA50C37263BEEBE1F9DE3,SHA256=7BC7DD06212DB098D9D120EEAC0E763B4D1C1C8C8A130733B51F97D2D7F9360F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370690Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:30.118{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000323835Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.064{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323834Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.064{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323833Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:32.064{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370692Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:33.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F32CF8F13DF153C75B7797C1AA36C44,SHA256=FA02153A09F9596B70B8C7CA6901E9E4A3DF008E76E4651292B1925413D135E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323837Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:33.252{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20D1BE177C4E5F633EE16B924E837FA,SHA256=62D1E15B83CC84C3D745383C808937D734ACCA8BF12801CDB67504B6F8EB9CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370694Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982F3B84522ED27FC5F4981F304E24B3,SHA256=ABC86B7FA63B02653D38F291470BC17CAE649758E35FEF75CD4D0B6AD8D4C550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323838Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:34.267{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146554EE719B1A5A86265A4FC40B65AC,SHA256=7E42FF420A7EF272AE53EBD98C7413AA36C61285CC934F9AC22C5F4F4318F9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370693Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.429{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=325ADA20E84E4205E771A3B8A3F515A4,SHA256=3A2FB34E03A10D57422B6652E69786D29FA3544BBD1BA80EB0CE779B43875179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370695Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:35.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32AC7FC8055AA1B2739DFAD3D4B8FB4,SHA256=7CA3AB054876B6FCEFECC928405D6A4E58CC1D137E05183D032C077CD18A10E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323840Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:33.744{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50003-false10.0.1.12-8000- 23542300x8000000000000000323839Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:35.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3936783DBD8E43E22AD09C02186BA1EE,SHA256=8B5932BE2A0C376D5458F29B63D00D6CE114527B86EFAF74345AF5586C6C0C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370696Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:36.788{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88BD9DE722A152FE1D3049F432986374,SHA256=9CEBB0F730E6DE1139B38714B0891A5BF1C849E63004B50F280E7EB0E3CEC79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323841Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:36.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BE3842C8BE5DB556A420CB982786A3,SHA256=989EF3D4E5F8C9ECDF10EAD0E0472B3D6B785BC716E0A0C63264B5E4196354E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370701Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:37.789{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00536F36BCC69D4108E99AF35DAC592D,SHA256=DE7AA3CEDA72AE9E9F6F66DD919F421BB68BEB030EECEB13B245A9EE31106FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323842Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:37.314{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4282C5AA840939752B3C0939201C7BFD,SHA256=AA59883B9732D54911D6E4576177F9DD4C8E1027FDAC00B5A46BA4465D01481C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370700Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.764{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60048- 354300x8000000000000000370699Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.761{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-266.attackrange.local64116-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000370698Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:34.761{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local54409- 13241300x8000000000000000370697Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:05:37.289{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e3-0xfe69cd54) 23542300x8000000000000000370703Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:38.789{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032C7C2BE2E532FBD13AA6EBDDAE984E,SHA256=C56EDAADC592989F25D5FDDAB19D43B36152B68F654ED3F41F44142D58099CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323843Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:38.330{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576A756209DB5DF79E3DF6D6EA1DADC7,SHA256=F4F37746E36AA79A96BAC301670D13F3060D9C79269F0A46452959F299F294A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370702Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:36.087{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370704Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:39.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DA7460163EA34D63630807987E9F1C,SHA256=A6EAA1FCD23763D0DC084967619EE02609D3C53742561559BCEACA00C630EA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323844Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:39.330{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A6B33D8FAF3F747678CDAE779E0CD3,SHA256=7A543F26BC27B601F10281B12088D2EE776422FA74302CE817E91C40D494E6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370705Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:40.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10879A386D6720385185CA3731887E7,SHA256=067F3AA7ECDA0412966A30B33E434D5517F7922C5AB5185652E04285FDCE3D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323845Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:40.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8CBCBA443BDD505890BAA2C8A412AB,SHA256=E4E6BB6B130B0D5C9A794B3E2752FFDBD7951924D54CE0FFA9933FD23A1FF322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370706Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:41.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AA697A102B4206C7FAA1A4D951BC7E,SHA256=1DCFB70180904726569EFCFF4C3153FA47B5D60B64E3E0B3F6C9006EAD6CA056,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323847Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:39.639{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50004-false10.0.1.12-8000- 23542300x8000000000000000323846Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:41.334{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0821EFD59705010E1EAD4D8013E32928,SHA256=2BDA4BB7C08F97BB330528024BB5812646109EE9727C74FCB3CE38EE4DF765D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370707Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:42.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B926EB801C1B9263B685587C3BD830,SHA256=AFA7956E79D7F7FFFD286DED1562F39AC88F2BAAB533137952C12791AD964E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323848Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:42.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A53DB871F69088EEADE05D40B4F803,SHA256=D5DA0C4E6D52BE9C63DE1F31ED3D47C6B9F36B4978DDE03B23288DBCDAC2D961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370709Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:43.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A32CF9B6BC3DBD24B658C3DB4E3D924,SHA256=CA77E669831C87A90716B02DB03D2997ADECE03F50B5D1F71A00C639A2AA7201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323862Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323861Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323860Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323859Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323858Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323857Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323856Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323855Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323854Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323853Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323852Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323851Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.740{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323850Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.741{99D2EDAA-5FF7-619F-2F01-000000001002}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323849Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:43.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F428698BB865A74092B1E3EA4FC3E75B,SHA256=9063860EFC864241B354F3414DF6338793A44D68294574280AF276672D72CA94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370708Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:41.087{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370710Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:44.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954E01380F68C5CE1C11378A53FC0CC7,SHA256=0B755FAD0EE2B46F79A634935C5210F3B9F82C997D54193A1F352C68F722AE07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323879Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.959{99D2EDAA-5FF8-619F-3001-000000001002}25201140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323878Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323877Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323876Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323875Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323874Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323873Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323872Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323871Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323870Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323869Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323868Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323867Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.756{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323866Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.757{99D2EDAA-5FF8-619F-3001-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323865Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.741{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A058FA3F493D9982F12287FD71EBDC38,SHA256=C4F7004FF7FE006FEC649F62DDC6BC5B77DB0B6DB4DFD4BC77B337605517E0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323864Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.741{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE9FB0912F50F0680AF4758EEE69F2E1,SHA256=8864F6E37CE8F1B9776262A898723BB8794A9F2E8D74018C830AB18C7CD82C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323863Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.397{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD054DCC0A846D3DA2A21B95B83EA7CE,SHA256=99E7273A98686EC20E054D48D5EE25B8B0563EFFD92F82CD0AC8C5B4D6E9EEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370711Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:45.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAEBDD2F4D93DEC068CF29AE69D02F6,SHA256=410E7B181D2BE78FAE4E8600604B6E8C7080424869B1EDD8C5EF73DF018F2B55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323894Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323893Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323892Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323891Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323890Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323889Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323888Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323887Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323886Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323885Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323884Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323883Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.897{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323882Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.899{99D2EDAA-5FF9-619F-3101-000000001002}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323881Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.834{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A058FA3F493D9982F12287FD71EBDC38,SHA256=C4F7004FF7FE006FEC649F62DDC6BC5B77DB0B6DB4DFD4BC77B337605517E0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323880Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:45.397{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0C5806C74DB622391DD2B31D642115,SHA256=721C994372DA4B3F58235416B983D44C706B76C3D31F08B6BA210339EA7092D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370712Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:46.804{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550D715B0881B297C52C364CBF50F261,SHA256=09E6FFDE707A1AFA49AAF305220DA68C8234A1CFF0241C058D5CE36260EE9C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323896Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:46.897{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1DCAA8C5E4F2CEAC1EB0AC5D8120A13,SHA256=7E1F653DED0D931D0ACC1CAFD58370C06B06B5BC6667EFBDA04729808DB33FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323895Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:46.412{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDF30428C521682DE920FBF12ABB426,SHA256=A9F3060F2CD3688349766C53DC651385696D2AE5322B7887A6AFF54309282327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370713Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:47.820{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C33D0C6B7DE887324A056D2A07082B,SHA256=1A9E3294D130DE687E20562FE9DCC794F87614711568B60D061D2A15B04CDA3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323912Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.678{99D2EDAA-5FFB-619F-3201-000000001002}25723648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323911Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323910Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323909Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323908Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323907Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323906Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323905Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323904Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323903Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323902Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323901Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323900Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.490{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323899Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.491{99D2EDAA-5FFB-619F-3201-000000001002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323898Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:47.444{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F325FCB3B20453266267DA67F39033,SHA256=C081BCCB5B42738C92C641B10B6C108724E571D39AD2FDE4F0F4034F19057C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323897Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:44.780{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50005-false10.0.1.12-8000- 23542300x8000000000000000370715Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:48.820{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8513CDCD8FC6C58B24316FE509F348,SHA256=988BE5293C34E733A46886651F418051AC9B715E8FD66012B1CDCDA51D577E30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323928Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.803{99D2EDAA-5FFC-619F-3301-000000001002}25003420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323927Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323926Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323925Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323924Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323923Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323922Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323921Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323920Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323919Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323918Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323917Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323916Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.615{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323915Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.616{99D2EDAA-5FFC-619F-3301-000000001002}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000323914Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.506{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5D4466E9A043B957099115F7AB49D6,SHA256=22320C5EBE3F5CC6351450B0C2340D1B2BC87F2808553F47F3F1810E09253CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323913Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:48.444{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E1B7C653ACEDC0B1517C664560F4BD,SHA256=B8BFCBB3B07E609B739BE08446F7D04A15C06984E994BB169002F742E9A9976F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370714Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:46.196{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370716Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:49.898{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A8BAF0A551F115F235293E6F6FB1CD,SHA256=CA31C1D828290EF8BDBC0EAC510356A1B7617E21E6D2B0B160D69353CD99B0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323944Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.834{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5849BCB03184E240929EE98E3A91BEF2,SHA256=8DF5C5715E5901DD3DFABCC195B8ABD51D5FB49A9045A7014ED205824E695161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323943Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.787{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03BCE2BFD1F0BC7738D595EB9EDC9C65,SHA256=B140DDE92723319029F893F0D86850F87B0BAEFACCC0CF37E21459704631349E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323942Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.584{99D2EDAA-5FFD-619F-3401-000000001002}34723864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323941Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323940Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323939Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323938Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323937Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323936Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323935Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323934Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323933Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323932Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323931Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323930Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.365{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323929Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:49.366{99D2EDAA-5FFD-619F-3401-000000001002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370717Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:50.898{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9D667530B6B977A02E582DE171458A,SHA256=8B88B9078CA384AA7B9AA6087BFB06F723C59EF3F81A5F374889F9A0ED1FB5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323958Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.584{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F981136676061818BAA50FA844A509F,SHA256=94D0CD07E5C9BB5E992D482E42033C494DBB5BF714A5512669F7A4EDD606D775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000323957Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323956Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323955Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323954Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323953Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323952Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323951Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323950Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323949Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323948Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323947Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000323946Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000323945Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.522{99D2EDAA-5FFE-619F-3501-000000001002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370718Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:51.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2532772474E56FFE4A219132B3809E,SHA256=8AEFF4CB7551960BDF94731A36EDE8E6BDC98575E2DA7997A673EA2F7542BC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323960Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:51.740{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DCABDFE3D43C37B36ED0E2D054C31F9,SHA256=D656D9BBD03DF01EE7E5FD90849CAFB9B5D416BC7D1EC0100FF6196249D9AAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323959Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:51.631{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164F705C87AC84546120BBE6D227D89E,SHA256=BE712FC8408098A55FD444489683AFF76A492495FECE1F943D02B40511ED4272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370722Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.945{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370721Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.945{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370720Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.945{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370719Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D0252EE1D538DC7441B0EA5DC0E084,SHA256=3CF16FE46FFFBE76035DB0337314C84C049A4CC653CF569A62DE2AB7A686CE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323961Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:52.647{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A136298E25406BCBBDA6099ED5C9435E,SHA256=4C42B8438DC26CA4197E8A91AAC73DBBB5F3D5D8C54D5913E1097A93A61C34A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370723Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:53.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A76F983D53CC4E53EE60AEB4AB58DE8,SHA256=917AA04EAB7F84221F81D625F209AA0C5FF72E94DEC2AAA766BDD37B1EF36DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323963Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:53.678{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49683A41C5313EF0E05B914ECD7F2AF,SHA256=00517F40722DC11538C58533F5CBDAC24758C1ADC5BDB457D00D423B575A8546,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323962Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:50.795{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50006-false10.0.1.12-8000- 354300x8000000000000000370725Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:52.134{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370724Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:54.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B41577F81F95F81D292C68426843C7,SHA256=AF4160F92690DF3FA3F3D0A3E1F08CC8AD538898B9671AF427CD2C7F921340A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323964Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:54.678{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004A25B87977A4FDA88B25EA47B72FCA,SHA256=26FFC7CC07C3401D198AB37E3CA35DD301EBFF2009F204EBA9E413CA5306FBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370726Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:55.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CEBB40B6804CC7097E41601C278D5E,SHA256=94325C878A5D6C90ADF7B56BB447C138C0D1CCFFC939003A03D9A0CA4188578E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323965Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:55.678{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE213271B09F3A4A3519458EB632D73,SHA256=F6AE2DC0A629669067CD3CF0B46F36577CE6AF0FCB40FA5273B06696AF540DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370727Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:56.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC1DC795F949C05A8B2DADF09A01382,SHA256=3DEF58C26FB5ECBBA5B81C0C28ED2E7BDFD73A5BEFF5F347C5EAF617FD84C4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323966Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:56.694{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947172DD254D0656256340981CDF58DE,SHA256=4B204CBD2BD9A9F5990544BBF0190B5FD416376ACE3FAAC92BBE83B7D001B2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370728Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:57.914{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D469D7DCDB5FA1DCAE484D2664C3CBAE,SHA256=EA3A7B3AB71F3BFF9E4314FA6E475CC9D4D5398789413766D1BDDABBA06D1B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323967Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:57.694{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A5A614929FD51932BA0F999ACD1C5,SHA256=59A1584B348B1AAAD60359C9590D18AAD38D8968529D6CA47EACAC6CE9613B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323968Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:58.709{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF5B3F8CF2FEFBF0C9400741CACA6D2,SHA256=A754A53F2778E376B850DAAC84AE5C1B1F5887A9A5FE4DDF49A21EA62CA766C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323970Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:59.729{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8154EF5C71201915659EB3A1376BCD2,SHA256=9C5A0B71448B7389E971A552FB53CE75D2C5664B5B2EF28903B3F048C65BD401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370729Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:59.024{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB6097DB35AC6CF42C18D9AA55E29C2,SHA256=608737F0836D6503B81081B9E4A5A88F6B9773936DB430E72CBEEC7C2ABF3D28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323969Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:56.655{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50007-false10.0.1.12-8000- 23542300x8000000000000000323971Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:00.729{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C558ADEF9DAFCA9A00E265181F522490,SHA256=88E424CC55F89A257938FF3E965683A21665C8321427E53EFD9CDF2D5FA5BBCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370731Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:58.118{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370730Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:00.075{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE66040C3FCD646A4DAEC87A95022BFE,SHA256=6756E8A8BFC7E561F571DC19E7D811EAD7828F524001AE0D883F71A4B8A90255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323972Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:01.745{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C043CED2BFF0B9D7FD8BD2BD93D30D2,SHA256=1EAEC2FBDDA942292873DCACFCB864FD0B2C22A7B843B8B6B006653571C491DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370732Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:01.294{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F52438A7CDCD083A3C6A52FD6961714,SHA256=EE670ECB9AA07BF8DEE86458E7D730A5AED39F2FDB403FCAC393C8040B063F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323974Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:02.839{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9795D227D6CF2A19AA7CCE06E14C653,SHA256=7D0BE09978F2633DD651941F2CC1971EE39476B4363F6CA7F4C717EAA8C58480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370734Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:02.325{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F36A9A09E2CA43D13EE78AC3FA3CF8,SHA256=A57C8A74DB10F6424C212CD0408FCC74303C9392AE307AF37D1F44A1CD51BAA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323973Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:05:59.787{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-61.attackrange.local50368-false10.0.1.14-53domain 354300x8000000000000000370733Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:59.234{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.15-50368- 23542300x8000000000000000323976Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:03.885{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5FB29DCE1D4805327CAD47A01A187D,SHA256=62CF648FBB34E4492201C6050FB054785D831032AC97ABF3465EDAAF5170830D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370736Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:03.325{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551A227F52D8D5C137E12CE64597B1DF,SHA256=C8D0012B9BD8D2561EF4CA0D6B893431DE970110F746346566033B7A251E0804,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000323975Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:06:03.495{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e4-0x0e089235) 354300x8000000000000000370735Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:05:59.235{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.15-49524- 23542300x8000000000000000323979Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:04.890{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA94CFF35642E02E3C10FF749C1287F,SHA256=55E6436A33DAD85840358D547D89AF861EE70A05178E9084E21328503C57853A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370747Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.610{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5697452B158D315769C5ACDE019C8F5A,SHA256=CD14ABBC45A7710CAC1F5CAB289DEB603F59F38A29CE61035488F5B976A28C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370746Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.610{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C37E443880EA4087D1ED7CE894958A13,SHA256=C8E164AF34C592A7005D03B17F71DF43B46090F8449AAA5DEC17B93423672C17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370745Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370744Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370743Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370742Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370741Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370740Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370739Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370738Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.422{27B459FE-600C-619F-7301-000000000F02}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370737Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.343{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29319DF0C0347AF1433D2F0E2BB0075,SHA256=CEE12709836995BCEA00279BCD76F2A3B0E274141EF7DF868B90F3304A8F2814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323978Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:04.624{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-021MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323977Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:01.785{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50008-false10.0.1.12-8000- 23542300x8000000000000000323981Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:05.936{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC70FB9A977E3442939BFEE1A9B493A0,SHA256=E71F95CAA13E391F15AE78EC2B101567F414087069DE71D74CEBFDA418D2F504,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370759Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.484{27B459FE-600D-619F-7401-000000000F02}43323912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370758Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.359{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FE5E618659DDB1C66B7A82EEDBA0A6,SHA256=055A46F4E15E2B15A20758ADFE0B4AF6A3717B729729700758095F54A3EABC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323980Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:05.626{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370757Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370756Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370755Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370754Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370753Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370752Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370751Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.265{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370750Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:05.266{27B459FE-600D-619F-7401-000000000F02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370749Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:02.639{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58911-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370748Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:02.638{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58911-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000323982Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:06.969{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D55DC0D263F1C313606D90771459FBD,SHA256=CDDBA82AF86D240D34FDBAAFB8DC822ED8149906BA73E2DB32B4A826CA0C663C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370769Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.469{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BD1D79845E9D02511B716743CF6702,SHA256=0881A50C188B0239C253822C3D5DCC26FBCA51446C677407D8C6DFAF785FA2A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370768Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370767Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370766Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370765Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370764Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370763Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370762Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.406{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370761Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.407{27B459FE-600E-619F-7501-000000000F02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370760Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:06.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5697452B158D315769C5ACDE019C8F5A,SHA256=CD14ABBC45A7710CAC1F5CAB289DEB603F59F38A29CE61035488F5B976A28C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370772Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:07.469{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E5EABC42A7D8C8118CDE42DC9BCA1A,SHA256=DE7541CBC7B6BA128695D7D092BF39F309BC95BCDC6ADEEF11C903862D0576BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370771Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:07.422{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC860ADAD82F8768644AC43D85FA33D2,SHA256=ED2C76921C98EE1F1AB0677660B548EA0A2DC95077CBD1D854C642BB4187EEF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370770Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:04.077{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000370782Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.812{27B459FE-6010-619F-7601-000000000F02}1124596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370781Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370780Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370779Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370778Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370777Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370776Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370775Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.562{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370774Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.563{27B459FE-6010-619F-7601-000000000F02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370773Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:08.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38951E4473B8BEC206E370CFB68AAB6B,SHA256=F30A3C9A7514CAD149849A5FA3956430CC716F6EE79066987D2B4718790B7875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323983Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:08.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB617DB1526FFD506B695443AEC63074,SHA256=4971099C35A83B7F25EAB99477287C02BAEA202BEDA65CC14E9C61B26992ECDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323985Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:07.743{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50009-false10.0.1.12-8000- 23542300x8000000000000000323984Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:09.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DAB42A6DE8B2D10201E176C9F8BD42,SHA256=B1A6A940F361F81244AEDD06D261CD1856874240FF8991E1C081E82A1B092196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370801Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370800Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370799Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370798Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370797Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370796Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370795Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.922{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370794Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.924{27B459FE-6011-619F-7801-000000000F02}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370793Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14AACE75D015E5951BA6726669CEF8C7,SHA256=F4865C819E833C7EB8FD5810984DACB4BD9A78FE388208676FF25DCAD4EB6683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370792Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882E3B9497BCF15DB634FCB63F0D81A5,SHA256=DC787FAF7D91B03E9B731C5A8A6E20209D305039E48A2F1569E10F575B89D7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370791Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.250{27B459FE-6011-619F-7701-000000000F02}6032360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370790Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370789Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370788Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370787Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370786Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370785Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370784Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.062{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370783Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.063{27B459FE-6011-619F-7701-000000000F02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370804Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:10.922{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=238BC1E9A6CBA15D7CE7DC6F64FCD985,SHA256=F904B62079F4F84C0461BD7E01140212CE8F4B5D6C845BF35E5BEAB8F07DB0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370803Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:10.500{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786376363DE66681707C10458F321FF2,SHA256=3DBD6CE3F995DD97E11C0D15A0BAEA5D1ED617C6EE0D8FC263EB27CBDDF03D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323986Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:10.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F914AF57C7D3ED6477D46FE8E64AFDE,SHA256=7C4036F9441C77577C17A6803ADC23E05729AB87BFC919891E35FAB76CBFC1DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370802Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:10.109{27B459FE-6011-619F-7801-000000000F02}5882236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370805Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:11.531{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A66175F2280F22BCA01D4DB13AD458B,SHA256=B10B77A4803C956D7A0BA09251D477116C8B5334598D14E8A5053BAF3ECE1C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323987Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:11.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BC2321B26A053F2280D0481B0BC805,SHA256=5B4BC41820B03F26EC11AE695C6A6BFEC8A77A745F833E7E84C84DE5B59683F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370815Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.531{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FC9DA9305C39DE4209BB68B11ED455,SHA256=2DFF4CECE30B42BF648CA299865C39F659C3E30CDAB455DD9198B16C4AB57DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323988Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:12.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C754ADDAA544A390604EFBFBB239C07,SHA256=9F049B3462536D7D4C58F808215B915709FAA0C614839EB9F672DCBB5D96042A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370814Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:09.154{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000370813Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370812Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370811Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370810Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370809Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370808Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370807Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.109{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370806Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:12.110{27B459FE-6014-619F-7901-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370817Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:13.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2553BE91B7E90D120FFD11016ABA4120,SHA256=F859546FCED2FE8D15501DBFB7B29FE819104111D9F478E431242F5D2D41AF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323989Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:13.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33B890E9E21886DB90762B702BB5742,SHA256=CC2691580BBFF42934B310B45EE418031B44318169EA3BEDECB96A69A5FC2465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370816Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:13.109{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA4704175E0B0048C981B14632ED3033,SHA256=ABEFC33C2FF8A043738A192B957D81C1CBE3E7BEABD0599194D88FDAFD20A76D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370819Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:14.734{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370818Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:14.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDCE685B185406FA421813E80BC002C,SHA256=E7BF3AE84E9FEECC82EFEC24B15C329C457A597B86384055BDB1C3913BD2CE56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323991Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:12.759{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50010-false10.0.1.12-8000- 23542300x8000000000000000323990Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:14.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B294319BCF9164A1C7F9CC40E173B1A8,SHA256=BDECD4B507649E6548341E8F00514A1C91383B7809622BC6D2D7BD47030E1FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370820Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:15.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C4A252E239E318B289C38BA0E56215,SHA256=F11128ACB7DD41006F211D171E990657F72DF3439C384CD0997591ACBC311471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323992Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:15.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441F8544396390A244978C0834996F53,SHA256=3486F81002DADED5BD5FAD25D1CE57F191CA2DD1D13496B23C8165E5B6602643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370822Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:16.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED414EB827A0DB99C43F911B4A3AC6E,SHA256=3A8136C23D227361DBE64F9BD80DF584811C5D32E26C5CB4936CD9DADB0390F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323993Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:16.063{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6D2170CA4AD6493AF0E11E5BB3E0BB,SHA256=B6EBAEDDB5AB73A56A500B41563BF213C28963D6674EC2DC1808C16384574A43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370821Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:13.749{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000370823Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:17.578{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86630CAECEF28F579CFA10D92B1200EE,SHA256=3DADD4383C77A28CAE36E367F837B3D909C230632E7C4A7289357E5E20779F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323994Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:17.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C7D50D350218514424FCDDF07CCB46,SHA256=F9FEA1385F5ADF8A271C6E4BF072E5F073F94EB7F401D10D84FB08F44160D0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370825Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:18.578{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1BDBE0E6EB9DDBE13694660316A562,SHA256=FF8CAE246932CBE17BEF0772FE041B671F6D040A28D3B1FC9ABA155C7E67FFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323995Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:18.110{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADA51835457A00B25E893A349749687,SHA256=66C7936E2DA405422C6C421AC8A64906772EF2E774FA7B0008DA2E7C5BFBC80C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370824Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:15.154{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370826Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:19.585{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C925422CE35B532FEA0A7CBD90C721FB,SHA256=C3A52DF363C7264D5849C8357A3B198BBAD5CE921103B41A370D713FD09E55BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323996Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:19.141{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE561248326206AEA71C776A8BF30527,SHA256=04873A5470F2760F55ECD094F700A7353AE6D7336CEC5C32BA400D7BB8DF51A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370827Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:20.585{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060ADB73B8EFB675717F10A4C039D706,SHA256=B8393D629498DEAC38817C385B15BB8E1B3C3EBDE23F4F0B95F09DFDA3D043FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000323998Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:18.743{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50011-false10.0.1.12-8000- 23542300x8000000000000000323997Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:20.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B539211DFE5D86173329884DA1299A,SHA256=C4EF0C0F08F5C62F80039C0DB1379A52713985FA38EEF52DABA26B384ADBA59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370828Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:21.601{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378227930B95152E50C391B20D52A87D,SHA256=A5488A80A1D4068DBFF1AE20213DDE5D0C2273EE76C7ABF9B492A1E029E4FB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000323999Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:21.174{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7320D9CF3B5D2B759570837BA2A40DEE,SHA256=327C6BEC7CF726C1F29375B151E671746D65957B2FCF58ACA02B4CBE4D7C0C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370829Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:22.648{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F9BA95EAE070C2C32702F9990D9297,SHA256=FBA1F7A7562C77D66B0CEC2AD8951C6AA900D5E3F724E5429F0BAB5EA67698C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324000Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:22.205{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AF5AA3C47C2D7F3A0F635EE3F7CBC3,SHA256=E1C4C87BACA3269CB5B5922B75AA31C69E00220FDE6E65B8B08373FFB009A4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370831Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:23.648{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A013E3C25DFD79BC539295EB7DFE956,SHA256=0B171C94CA84B45633B6FB1A015182585352F68C7A4D6E27299C49DCED985B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324001Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:23.236{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DFAA959264289DF9CCCF79F69E8F48,SHA256=B0571EE84DE072C93979ADE7D6DBC9ECE500270053B5046FB5F1BFDCB2C10BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370830Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:21.083{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370833Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:24.748{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-021MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370832Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:24.667{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D400DE0275EF66EA95AA2521989912,SHA256=849472C8639441D9C0F0D58AD5AE0C5AB588664A26A9B8CF5C24AC0B455D0C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324002Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:24.268{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1D2804437DACA7B827F78BFD185D84,SHA256=589E616B9BF5B6842C5303D781D46560D48271BDB6A007A250FEBBE75CF60509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370835Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:25.747{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370834Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:25.668{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E7D0A9301CCF1640491542B41B373C,SHA256=5E4B1C4A1BBFFBB59FD10A3806B60DA1E7C2151BA010AEA8BB77AF729B2D3198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324003Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:25.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431D9A4E36589F835646392BE3652507,SHA256=1F5314F25E11448EB997C72DFBF72516EB26A21CA164DF14767D886B944DE77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370836Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:26.687{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25AEFC8DBD64933E2ADAC1E20164C61,SHA256=07C778842D01288ECB7099A267FA7E1D0CB9083F14F6D73CAF077B64AC140C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324005Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:24.636{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50012-false10.0.1.12-8000- 23542300x8000000000000000324004Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:26.283{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E103A80F9FF5FE67FEEDA86E9E0F0B,SHA256=8FDF67E731AF05E5371491D60B1DCB0EA6DF75E8C84E0A25AE46C9F175ACC5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370837Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:27.687{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8683130C25C429E0C727641476D78C,SHA256=701F37A484664B2167D63FFA0B5B4A2D2474ACD46BE475C82F0BAFD7D7989614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324006Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:27.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BFE20B2A6E7FA64104DEC0A52ED0B38,SHA256=7FE326D9EE31E8B2525667CCBA5C3075F0C063DFE23EA26CA7D2A56D4402B3BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370838Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:28.687{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95647BAE31A0C766C3A871870ECBBED,SHA256=CB293F5324D2B08392262DB0FF794F227ABB01D8C330C48FF7A90D1329317C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324007Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:28.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB5F4B2D97DF8AD3AB7CD99BEC914C8,SHA256=BE4724F7833DF47E0F372D746B226739EB59AE5364E918F52122FFF41F54C9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370840Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:29.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A934352160E1D875C3421334300750C8,SHA256=2629CE91786C3333C306F3AC041D4D5780777ACA61FAEA499FD6B84C8CAAEB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324009Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.377{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8811C59BC1E6D6B4742F71260183D48C,SHA256=6D2201DBA46A15B1381516C57D5C538367D0F9A99F38888CF32D658809720A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324008Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFEB02E4223F6FF7979588EE3DB8979,SHA256=01A856112306D732A95276F20F4F66DFD3FC75F4B390AF8211A06CFCB2FA5FC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370839Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:27.059{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370841Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:30.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5B1AF5F746F70E58670F630BF83AC9,SHA256=B97FA02D6A4D691DBE2E7AF477B58A5CA7A9342089AD223C3E6E35B86DD8959E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324011Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:30.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0911A4B01ECB521B49188F8AC162EB91,SHA256=14F913D59A29A139708AC6A6DF722A0CEB922AFABC6B3FCD22D0203626B5B133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324010Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:30.268{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370843Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:31.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7317D3D0DCF99572118E8D358618A1D,SHA256=008A4A6698503069A7C40284551234077927E879E1595F4824C1F157AFAAA3E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324014Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.839{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50014-false10.0.1.12-8089- 354300x8000000000000000324013Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:29.792{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50013-false10.0.1.12-8000- 23542300x8000000000000000324012Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:31.299{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBD5E421909C240B9708A2FF898FAED,SHA256=B9107A122DC64CE8DF3FA6F3180ECF6EF3D179FD7F596B1C1F86F82989140891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370842Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:31.562{27B459FE-5AC4-619F-0D00-000000000F02}8964808C:\Windows\system32\svchost.exe{27B459FE-5C04-619F-AC00-000000000F02}4356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370844Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:32.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBC7133826ADC0C037EFDC8AB1E29F7,SHA256=F0F21C312DCA3CB6207066B0FD724CAEDEB43ADFD42DBEA301DB98377B37C4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324015Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:32.314{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEB06277F18680C87D9940708E44DD0,SHA256=11E982ED2B3FB80C415F55E1A51EFA38CA0C90B29A4272FE99272A461825F59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370845Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:33.718{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D4B51054DFFD2D189DFC0FA96D29DB,SHA256=0D3CD24093F2B6CF2FDCD6C1582B8EB958D20FF496EF6D227CDD3DE1E785332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324016Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:33.330{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BA09E0185DC5D523786D1864BDFEED,SHA256=181604B205F370A669450B64C1A1F780FB2208774A6A4B2C596D5DA0791C7C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370848Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:34.718{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252F161EF181C7333C8D9BA26930B031,SHA256=3178D394DDCDD3A629ECD79FFE83ED65D26CAA96CC308C9092801408D14D5001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324017Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:34.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6DB0880379A40F4834B50C54E7B0EE,SHA256=264F5A7911903B8E0EDCF809D2867F50B74A36B1DFCB0985D3A10013F161BD51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370847Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:32.184{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370846Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:34.437{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6F6D8C89D05C8585056850616E3404F,SHA256=DBC38ACFB0BC3C505CB6201D9464B2183F8B3BAA2496830CB9E59B25ADC73A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370849Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:35.781{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F8652DF28B279F60A549CBB963D69E,SHA256=2CE798C64E175F9DAF4B0D7FABB70498ACDB03342996B01B4F9C388D47482F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324018Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:35.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB6DDFE818C61787529DB2204828108,SHA256=2BBB2198C0AA38FD1564779C6E9F6295E3969E2FDFD386FBFA4F9834E5772AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370850Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:36.827{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD7A4BA70F8312A00A749EA3CD4E0DD,SHA256=284C549270C6D810FC0230C92B4292D1FB3A1EDB06AEDCAA0FA81AA83CBCA65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324019Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:36.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5300103D57104F389316BEF64A7E9A,SHA256=EAAB7E1649AC5675733561B83FE7B4191C63E3178E0494969E42F10B3A7CD9DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370851Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:37.843{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAE54CA82E1CAE219AF8FC2166E1ECB,SHA256=78227FCCB41DDA28E35009EEDF27E5C8D1EF4AE087B993C4B048B1981CAB1FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324020Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:37.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641EF6F195649CD74DD60F15147D76D6,SHA256=CEF9B8BACC7660017918110F30516DAE38E836AD1103827F1FF50D20D1231B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370852Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:38.859{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC05586E6AFC359369AC3B65B754D72,SHA256=303131AF4DCBF0159BAD82E7748AE157149A3368FD04A6F9229690FD0D159567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324022Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:38.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AADACECBD896C5FA0B06678E595B434,SHA256=566270F5A66875D9CD0F32BDE200BDEF528F8DCD2934719E8D0460EE8C858348,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324021Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:35.823{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50015-false10.0.1.12-8000- 23542300x8000000000000000370853Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:39.865{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A56AC467F6A853832FF2B2C0E28EC0,SHA256=3798EF89C1DE136852D946787BBDDE9D225B53A10B1552AE93D1E3EAB4B77487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324023Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:39.346{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF4239318F37DEAD52157EAFCD98F09,SHA256=93C5FEAEFCE367A6023C9567B9210C2CA379522EB207087591037730FF1ECD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370855Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:40.865{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B85AF43FFB35700EF8678015D285333,SHA256=980F226C380DC4F90CAB1748FAB867622FDB91B0FF7D21BB831EA44D096EB9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324024Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:40.374{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AD44B6F6E36ED0F311CE7924A2E1E4,SHA256=BE0E20A593BF4A1784C16B7E8E66AC489E4F40CD59969A03425A92E562FFDB6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370854Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:38.122{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370856Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:41.865{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E19F7AE0E7759C1DD048138FB55273B,SHA256=2D4E4C93ED6D26070A6EC7BE901B664145918292D2F3EA6EB82440DBA6D7B995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324025Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:41.390{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C9B34045953B3721ABAB6A777768D7,SHA256=D9DE84077D56AA3D1518D61D8C6E8188433DA557864E907CE536EA57522BB927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370857Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:42.927{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E70918E176AF9741F1B9BDC25FC3122,SHA256=7FBB5AF6946F3A12B74046CDB3789AC5ECAF06BD406FECC216AE2EFFBF57B2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324026Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:42.390{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFAED64469A78FE4DA5A42722A24CCE,SHA256=70ED17B53671B0FFD4B3233B6B90123235176D6E75BBE94AC40AC4F4E6AFCC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370858Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:43.927{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC31F5FAD4FD5AADDAEF50453CA7D8A,SHA256=E1C68BBFE4CDD311599A5DD00E9946069462A9EBB2903F033916343C209C4A42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324040Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324039Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324038Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324037Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324036Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324035Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324034Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324033Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324032Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324031Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324030Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324029Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324028Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.734{99D2EDAA-6033-619F-3601-000000001002}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324027Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:43.390{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8773A791DDABCB673589407D73F35D72,SHA256=7C25FB46D11FF0B818D99F335A302BB5AB8D0AE7FE86333152718247DAE66071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370859Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:44.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C32718FBB04A1A03C2077D56BFAFF33,SHA256=CD00162DD204B6CECEC15FDCFCAF8750DC5187AAAF59B627DC4506582C04DA64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324058Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.843{99D2EDAA-6034-619F-3701-000000001002}37642676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324057Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.734{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910D59D4D82B82FD40B34765154667EC,SHA256=15D0A37E633A309F6238EFEC7A47AECE6EC64FC438DC74BDA1AD5B7FC0255549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324056Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.734{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71917A0DE8AF78BF44544E1C47D62F73,SHA256=5A66D235F62C50CAF7FE6DF6031073236255CAF7AAF0A283A334054EAE2DB1D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324055Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324054Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324053Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324052Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324051Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324050Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324049Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324048Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324047Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324046Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324045Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324044Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.656{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324043Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.657{99D2EDAA-6034-619F-3701-000000001002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324042Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:44.452{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1D52B1B2A5AFF5879E04A1508B5D9D,SHA256=FAACD86A07C2317E284BF42DCBEDAC8BD5E5821DD048DC289F297E5B0BECB216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324041Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:41.713{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50016-false10.0.1.12-8000- 23542300x8000000000000000370860Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:45.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B782214EB3E0992E7D02E25B4D29EE38,SHA256=F356099BBF018C6AABE4C7B39873B569D36A3FC5A0F0FD2E2EC488F612D168D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324072Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324071Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324070Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324069Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324068Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324067Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324066Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324065Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324064Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324063Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324062Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324061Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.890{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324060Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.892{99D2EDAA-6035-619F-3801-000000001002}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324059Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:45.468{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121A56D434EAE764AB9F9EA6B7ADA3AE,SHA256=0B93FE8C658458E81FB77FDA174BDB0FF1C2C09B8B98174011AAD6A60665B790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370862Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:46.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61083ABC90BFA519695241A872ECC32,SHA256=D404E2C80337CF12E2780895B1F7300AA8B3893FE818503B88B832E4F046CAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324074Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:46.890{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910D59D4D82B82FD40B34765154667EC,SHA256=15D0A37E633A309F6238EFEC7A47AECE6EC64FC438DC74BDA1AD5B7FC0255549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324073Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:46.468{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69DA04ACC0ED0E33F71F073FA2352F0,SHA256=4B4429E523F8F09591B2663E00E48559EDF966E2152FECAFFEE0CFEB786E5BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370861Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:44.128{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370863Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:47.958{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F1E3C9B2B922D6D9F5596FC111EB85,SHA256=0155F86BCF049BD26855E8E72D44AA288B7449ABEFBA3C183E62D2F7ABE4E4D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324089Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.687{99D2EDAA-6037-619F-3901-000000001002}22923152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324088Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324087Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324086Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324085Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324084Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324083Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324082Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324081Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324080Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324079Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324078Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324077Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324076Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.484{99D2EDAA-6037-619F-3901-000000001002}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324075Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:47.468{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0530E9F380C801D5D4168CCE36B5498A,SHA256=B765965D52AF9C1E8DA3F763578954F90056C0B6684FDA64D2C9701E1BA7B099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370864Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:48.959{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADE5F289E1B55F2DFC69BAC71A2BACE,SHA256=404183BBA02950A12F95CC11133E8F90C8738A3D92EA9AEEAA01A858F122315E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324105Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.812{99D2EDAA-6038-619F-3A01-000000001002}39723596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324104Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324103Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324102Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324101Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324100Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324099Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324098Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324097Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324096Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324095Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324094Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324093Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324092Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.609{99D2EDAA-6038-619F-3A01-000000001002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324091Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.515{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69A78B95730A653AC98082A5D475D9E,SHA256=12F864E0BC46E6AB7853AD87BFE32BCD99903D57377B0D4DAA361BD3F6360804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324090Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:48.484{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88907EF3578949F087EC06D315970FED,SHA256=65642800BF00261682C22CD69A9F7584C75B925E264E8350B546FF090DC8FA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370865Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:49.959{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC169061678046021302C47A2F19908,SHA256=80A889553707DFB64CD01397B869C07486902A410CEFC41E1F266D5DEAA16C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324122Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.796{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726D62BF9BF4E9EE083416C6CF815CFE,SHA256=EBE1CD6FB60B42E315EF5127F4D564FF7742AB5A97F44F77CA74617E48810960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324121Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.796{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEC7A9B7DAF6492A5FC604E0FA5894C,SHA256=FDCCA9BDB31A874A70DB5345B7211E0601F5D2A39AB4ED4E179C3484D2ADE4D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324120Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.515{99D2EDAA-6039-619F-3B01-000000001002}11281036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324119Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6039-619F-3B01-000000001002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324118Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324117Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324116Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324115Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324114Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324113Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324112Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324111Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324110Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324109Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-6039-619F-3B01-000000001002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324108Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6039-619F-3B01-000000001002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324107Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:49.359{99D2EDAA-6039-619F-3B01-000000001002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000324106Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:46.743{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50017-false10.0.1.12-8000- 23542300x8000000000000000324136Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.609{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF8263E225C73B262155EA99259043F,SHA256=543839CEE72A403904368639452D625F6F34F6F214E3C973E90777EC4E25C65D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370891Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370890Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370889Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370888Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370887Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370886Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370885Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370884Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370883Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370882Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370881Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370880Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370879Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370878Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370877Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370876Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370875Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370874Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370873Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370872Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370871Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370870Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370869Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370868Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370867Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370866Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:50.287{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324135Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-603A-619F-3C01-000000001002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324134Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324133Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324132Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324131Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324130Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324129Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324128Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324127Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324126Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324125Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-603A-619F-3C01-000000001002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324124Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-603A-619F-3C01-000000001002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324123Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:50.531{99D2EDAA-603A-619F-3C01-000000001002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:49.159{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58921-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:51.255{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E465A79CD3EF6BC4C31A57E41A970D2,SHA256=8799E9E8DE895411A178E204C483885D26A88558E40A8B5D6CFEA1BEB2E9A4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324138Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:51.624{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84FE504F13E24B5BA4BEFBF86FE39AA,SHA256=CB565BC6FC2D567880F3840961457BE6EAE57F9FCD12CCC9FC5E53A053065A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324137Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:51.531{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F5414B20780D9F20771C5FEA74BC124,SHA256=C86E07A0204EB0D2DB1C72A3072ED5D93381D635FB3F08678E0CAE9B5C767FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324139Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:52.656{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573AD5665356447849A111901CD7F595,SHA256=53CAD09B2CB9F3538154C11F0C3B756859B46AAA576FEA59722C2E27303A0F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:52.412{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDC78C1274B6B509ECE2A5469E3A00F,SHA256=8F1FB1728D1F7B012B1604903401065B29DDD0C6A0F6871734770BC6F82ED875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324140Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:53.671{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E32DA89C73DDCA41AA0ACE1C44663F,SHA256=E94E8BEA4EB4A3878C9E5342BA73326BD146EDC0D539DE410D4ECFEEAC47A804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:53.412{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A515F3C0E1B917AA66C946869BD8AC,SHA256=38FF99C8D9EDE4136C6D7C8EA49AF3EF3F9BAF90BC9005A2E83C2B6D31081E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324142Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:54.671{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32A29B6BEDD06D2107FC02156E933E9,SHA256=47D3A4A38207138139194CF08A5E707414E5E4E2ACC2148BD8C713B8FA2AB264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:54.412{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08085CF2AFA21072710360E0EDD3EF3C,SHA256=436EB36BEBF6CF39E6624F440AF48C343CEF795D224567F5EEB6FCB0F1D44439,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324141Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:51.774{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50018-false10.0.1.12-8000- 23542300x8000000000000000324143Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:55.765{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F84DD5E973F4F83F852405E896F1D6,SHA256=029DA88FA2A1D568DB51D98C81FE130F55A07F717F64F6948A3E232319F39964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:55.412{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77824098E50C5E6DE7A72F94EA1B3CA,SHA256=F1584DE09A226A548B3906C335CC4CD7E760F8377229BFE0942F21E6995128BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324144Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:56.781{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6035893082447A5D91988C9C035C87C4,SHA256=B5492F401F399D2A8D5B854B9EEF0CDF76F8E6486C2E8EA53F910A01443F8A24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:54.253{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58922-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:56.412{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C156B0789D90A812E75719FD89743C5C,SHA256=945F08A3F652A384C6848BF57D0FF689B2870E04464990B4D3E9714A81872688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324145Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:57.796{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC75A855A24906ADF19D6577470DA65,SHA256=C317D8CC53631E6E533C762009BD2519372D8DC17DBC589040603BB9DCFA4077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:57.427{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF598ABD7C50463863CA609798D2BA40,SHA256=DBF09D186396B7FA5B2EE0DDAFFFB64AD400D6DC19839B11F9AF4F8A02A0BB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324146Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:58.843{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA81680F9DB7BDF93790B2AB0A11789,SHA256=01BD666B586AB90AF6931EC1CADE85A4D5F5D3D6C050ABF81A06021C4DC442F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:58.427{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8FD1DEC4CDF1D4E6D49AC4197DA0FC,SHA256=A327A4BBD66D2735E5E4F9CFBDC9DF86E58C591B9C007FF477A1202371547507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324147Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:59.957{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDEC23F4160D412F7EE00F19EC31B68,SHA256=C75624487CB49B0DDAC51A93C0895F9A6AB332A3878B807D0EDECE2BC9634BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:06:59.459{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4444E8D717EA360E4583E2A3740DE6C6,SHA256=DD0069B3C79E507FBD37D00A427180E3059BB2B62C6AFF1D2C68B81EB9B9847B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324149Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:00.957{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778977630F341E41CDCBA89CBADD24B5,SHA256=867D9CD613A33D19C478E76AB7224FD4A83E7CF076CE6812AB5E302DABAEFE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:00.479{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4508BEE94CD07B86B98A4538FAA2EC65,SHA256=3C11C5E043553FD42F3EDA32BD440B0D6D61D57CCF79CFE90AA6D0E27AC59369,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324148Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:06:57.665{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50019-false10.0.1.12-8000- 23542300x8000000000000000324150Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:01.957{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0B9F348059A7CD9C02E0DE1DE3253C,SHA256=88279B65C00A0F892339DF0E4BF98AFD104B57266EAA73FC2A0DB7E2DC7C46E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:01.494{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029843A17AABCE1556966208C685EC8D,SHA256=5F71342A0D2AD1106BCE0265887BF44D7B4625AF3D803713E31DA99EDC9387D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324151Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:02.988{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A812E2AAE96A7EB2D937D14C7FC6BB0E,SHA256=1D614468EC8CA14E1AC0E090F709A0AFA25E048ECE1B291BC5CDCEABF4936C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:02.526{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCED5BDEA1C3BB09309412EB475CCA4,SHA256=3AD024C6F939B42906B42D940CC3D6ADE76F1ADF5744D26EB8ABDADB198CA199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324152Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:03.988{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF4D6B6D4C7532868AF94FE927CC3DD,SHA256=B9F38A7BA4BB0E6984227FC2B20226B4E488B6FDEAC72FE3219948A66683755B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:03.557{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B60C0244577454EFD082A002D9EAECA,SHA256=2B9D9C5402734B2345E35A5800F669B5A74EE37B57FDF61B4511412A9C05D740,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:00.070{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000370930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.635{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=951BA586BAF0052A9079ABD9AFF67335,SHA256=B73B86726C461E6D8F9B71E7B9511A4586A4E179E8482F5A316A9AF2BF96A5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.635{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A853D77668399EFA0A623DE19C7C3A8,SHA256=69C7F74F73A2420717C5571E85D8F9B6D9181541F8BB3D6AD253092B19DF20F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.573{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34869404E6B9F3330C7CC85424847877,SHA256=08F08F721C3E3FA35BAC9E666B9B2DE0ABFB845E31D1946C0B92B2B5A82E837A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324153Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:02.748{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50020-false10.0.1.12-8000- 10341000x8000000000000000370927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.432{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6048-619F-7A01-000000000F02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.432{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6048-619F-7A01-000000000F02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.432{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6048-619F-7A01-000000000F02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:04.433{27B459FE-6048-619F-7A01-000000000F02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324155Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:05.989{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9167CCF3168D1614CAD5EC4EF6C761,SHA256=4565C30CC71DB8D770D938CC93259DF38B1B91E3C2252982E0E72E67C9F9331F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.604{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8011E7125F3A8A7BB925F9C5581CB9D,SHA256=9691E4AC15A562C9CFDB60E32C77F3DD89155810C05DFEB0C8C680C1D0191F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324154Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:04.988{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88105B0A09B01E5FF5196264C32661A8,SHA256=4312639EF37738DAED3C3D6E1DE651D72C60C7F7E943568B9A6790BA5ADA43E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.526{27B459FE-6049-619F-7B01-000000000F02}61245644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6049-619F-7B01-000000000F02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6049-619F-7B01-000000000F02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6049-619F-7B01-000000000F02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.276{27B459FE-6049-619F-7B01-000000000F02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:02.648{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58924-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000370931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:02.648{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58924-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000370952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.604{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E031FACEB9041C6B8FF0BA3E1AEAA6C,SHA256=A72E38D5510E8EADF322217BED7BE9EF42896ADB51697839ACA75A7F1280C2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324156Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:06.148{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-022MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.432{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-604A-619F-7C01-000000000F02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.432{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.432{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-604A-619F-7C01-000000000F02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.432{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-604A-619F-7C01-000000000F02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.433{27B459FE-604A-619F-7C01-000000000F02}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:06.291{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=951BA586BAF0052A9079ABD9AFF67335,SHA256=B73B86726C461E6D8F9B71E7B9511A4586A4E179E8482F5A316A9AF2BF96A5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:07.604{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4327A03A71CFC8DED9AD994D4BD3E44,SHA256=562F4F8A7FC18D89CEBBE1AB29E115AC530CB3AB34D76214746A4BB39E481F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324158Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:07.162{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324157Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:07.020{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E600D20700B1D486F7F7919A100ECFE,SHA256=BD26E1B8BE924D7F451BDC847820529E178C63570F4ECA5860EA564E2590479C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:07.495{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=302AFC231C5CC98D63386AB4A151BC8B,SHA256=BE1957BA73E6127491F1A32D3978A3498381381A6951AE183941112AA053FC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.838{27B459FE-604C-619F-7D01-000000000F02}51522856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.620{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E480467C429EDCADA2A9464513CC88,SHA256=68733F043B24D3338531B299BACCC5B6E823511C1C024746E1BA000469F8A55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324159Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:08.053{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4621E02AEAD7F88626F39F48511EB0,SHA256=C911D992DDC233F988FDC0C4741A57369D2C1E7C78E991A96322AE127D67AD4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-604C-619F-7D01-000000000F02}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-604C-619F-7D01-000000000F02}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-604C-619F-7D01-000000000F02}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:08.573{27B459FE-604C-619F-7D01-000000000F02}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:05.273{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000370991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.901{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-604D-619F-7F01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.901{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.901{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.901{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.901{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.901{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-604D-619F-7F01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.901{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-604D-619F-7F01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.903{27B459FE-604D-619F-7F01-000000000F02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.838{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F3C57993F3EF5AB16BA4BBC52C4646,SHA256=884ACD39D5347CDD73D5E667FDF8E9A826941C9C0676B2C12CBAEDA4D6D6E074,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324161Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:07.766{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50021-false10.0.1.12-8000- 23542300x8000000000000000324160Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:09.068{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CAA7250AD040CE40C17090376E7EC3,SHA256=658A92E7761E5CDBCC423689FC37B9A77763D77551764943A2D7264BBDB0C39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.588{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D88846F0BDB64BA51A792F8810D1E2D8,SHA256=C45591E998DC116D70BBD4178D8C657DBCCB0A68A76178D5668B59F0D3E2041B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.416{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.416{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.416{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.416{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.416{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.416{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.416{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.245{27B459FE-604D-619F-7E01-000000000F02}1016708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.073{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-604D-619F-7E01-000000000F02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.073{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.073{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.073{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.073{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.073{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-604D-619F-7E01-000000000F02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.073{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-604D-619F-7E01-000000000F02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:09.074{27B459FE-604D-619F-7E01-000000000F02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324162Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:10.068{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C873C0E89DF32AF9FB7A0E1B31A25FAF,SHA256=B155B624590200CA535C5F1231DA4DDD4C4BDB9303B0AB555868848597C890FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:10.901{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D441642E3C3DD5355B7B0E093E117BA,SHA256=54B3D7ABED42DB874807946CE3C9202A848A139AF624392B56293584652D49A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:10.104{27B459FE-604D-619F-7F01-000000000F02}54044404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324163Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:11.068{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866C77A1095381328B52983E609429A2,SHA256=518E40F691C3FECDDF41489F0F4C283D22095002F09139608FDE903026D85BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:11.026{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B55DD19A5E58DFF4B1FB2174409A33,SHA256=393229F8B100FE0F9C0811FECE0CA9FF532E813F0BD79B643569C29A13EDAF85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324164Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:12.084{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496FECC024A45C33D3B1462B1299112B,SHA256=C37F7BD5F7F186B34E946FAB2C99936CD21A9DBE58712215A2E997B10032CADA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.432{27B459FE-5AC4-619F-0D00-000000000F02}8964808C:\Windows\system32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.432{27B459FE-5AC4-619F-0D00-000000000F02}8964808C:\Windows\system32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6050-619F-8001-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6050-619F-8001-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6050-619F-8001-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.120{27B459FE-6050-619F-8001-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:12.057{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BA1C262F81CB179741E9AE240514BD,SHA256=1251276C1E8B916712837C009C3C2B96F8E341CFC7568CE9B71006B0ADCD9CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:13.182{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7644EC1F8E42781DD2C30E3DA532081,SHA256=5A226433C4B793EA6967F46A66DDD1952ED6C2360380AEAF85674F91759DB08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:13.057{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB022832FBD9E48FF84C7B2E7297B724,SHA256=CFFD8E950B39D54482F0E66A515A2FEB39E4B58F5B8376FF122A9567A1414C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324165Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:13.115{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAAA7D1228084358E8A1A233ABE3A2E,SHA256=97067C6EEBA3F3D122DF3E672C13178633A2534A50144B61A8BE14AE64773529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324166Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:14.115{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3FF7A5550FCEE618D43849F3F0CCE5,SHA256=04455BE8F011DE7921743717059396534C5F919EF82B89CF786F9F1B2018C70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:14.760{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:11.148{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:14.057{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D0C8FB8C17815BBBFEBC52DF1E0514,SHA256=0F280BB32328E8E64EDE28EB9443283FFCF2416846031FA9F3D42EA4E612C2E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324168Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:13.657{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50022-false10.0.1.12-8000- 23542300x8000000000000000324167Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:15.131{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F5DB18B0321D5AD1887284A6FDE930,SHA256=F2B312EEEB2577FEEA7F4626F6152130E578DF7741F03D4898C2ECD220CD6B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:15.073{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1252502C9F4CB2926503DE8E78A0D0,SHA256=2244C423ADDFE2DB8A0138055709DD340B0B8EDFD208EDDE7891B8170BD1CD98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.479{27B459FE-5AC5-619F-1600-000000000F02}12881944C:\Windows\System32\svchost.exe{27B459FE-6054-619F-8101-000000000F02}5908C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.479{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-6054-619F-8101-000000000F02}5908C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.463{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-6054-619F-8101-000000000F02}5908C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.433{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-6054-619F-8101-000000000F02}5908C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.417{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-6054-619F-8101-000000000F02}5908C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.417{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-6054-619F-8101-000000000F02}5908C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.324{27B459FE-5C04-619F-AA00-000000000F02}42444264C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000371055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.324{27B459FE-5C04-619F-AA00-000000000F02}42444264C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x8000000000000000371054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.324{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76112EEC7F8E9951AE749AE2E0DC18A,SHA256=C8DFCB6B0CC9B20660830EF18C4FCDECDEB5352EF61B81E63E39C38C7572B658,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.307{27B459FE-5C05-619F-B200-000000000F02}47483832C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.307{27B459FE-5C05-619F-B200-000000000F02}47483832C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.260{27B459FE-5C04-619F-AA00-000000000F02}42444264C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000324169Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:16.131{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C421A87728F999EC6AD170F55E649E,SHA256=1155114E741E9EDDE8F29F3A7E8FFB025943A2CC6B209575E3B31564A6599C73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.260{27B459FE-5C04-619F-AA00-000000000F02}42444264C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000371049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.260{27B459FE-5AC5-619F-1400-000000000F02}10321172C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.229{27B459FE-5C04-619F-AA00-000000000F02}42446100C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000371047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.229{27B459FE-5C04-619F-AA00-000000000F02}42446100C:\Windows\System32\RuntimeBroker.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae9aa|C:\Windows\System32\combase.dll+a577d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000371046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.229{27B459FE-5C05-619F-B200-000000000F02}47485720C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.229{27B459FE-5C05-619F-B200-000000000F02}47485720C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.229{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000371043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.229{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000371042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.215{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.215{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.198{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0D00-000000000F02}896924C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5AC4-619F-0C00-000000000F02}836996C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5C05-619F-B200-000000000F02}47481124C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.182{27B459FE-5C05-619F-B200-000000000F02}47481124C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000371013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:13.773{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000371012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:16.088{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B614236C070B8442B136E7813FBFE99D,SHA256=C79D361B2C6E73725F674D285969A39980D2ED394DA2D2619911B106A6C2C552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324170Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:17.146{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181559373FFBA55A2143A08295737C7C,SHA256=24C7929C0D634D1F2F937C630F0A70FC634437B12B947CFD91CFD569625CADDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.792{27B459FE-5CDA-619F-E300-000000000F02}2260ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps1.bakMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.432{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F509922E828533E847794CBCA2EF793B,SHA256=78B24C18A426B28A426334FC6FABC36DA9F2FCEFB209410FF9B7C727F2CB47C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.198{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000371077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.198{27B459FE-5C05-619F-B200-000000000F02}47484868C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000371076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5C05-619F-B200-000000000F02}47482880C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5C05-619F-B200-000000000F02}47482880C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5C05-619F-B200-000000000F02}4748412C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5C05-619F-B200-000000000F02}4748412C:\Windows\Explorer.EXE{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.182{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.167{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.167{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.167{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.167{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.088{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438F1D083D5C6DBA92A232D1857F4154,SHA256=10C16AB32F3C08B8168AD491D139BC304A2813F4DE32469C3FFDD2D2FFD90878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324171Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:18.146{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECDD69FBC1A4B84945A92ECDFBE927C,SHA256=FF6CFA2D716C92BAA64763ABB80AEFFE71F718650553EFE78CECC6D9F7928FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:18.089{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8F8019B76016E2879C9B5D14B0D398,SHA256=ED1E65050B0B7C2AC9A08029F4F5E32374A3C35990A97276CB01365A16F03D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324172Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:19.146{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123005EC5E0E64777C3BF471724FA311,SHA256=66F57AC5E2E167231EF24E17587065FAFBB7D22E39B81E4CB957E857A4859127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:19.104{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB3C6841CE76DDB35111A8412AA200D,SHA256=3CD252D4ED44F9BD0ED7330089AB26C2BD803C7ADC6B32B4FA633C5014EAEF4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324174Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:18.672{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50023-false10.0.1.12-8000- 23542300x8000000000000000324173Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:20.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87EAF793633EF6229E0F6C95951B424,SHA256=CE5D2B05B8B92ACDA2CE5BA243A620A2D19C9DC670966F0BF4557540CEC0C680,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:17.164{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:20.108{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7224A3ABBF60239BA20540415E7B32F2,SHA256=8C84C69BA3FA055E90BB8B77763423A86B853FB6BB62C3934B0FF10D17316CBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:21.827{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:21.827{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:21.827{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:21.827{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000371085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:21.265{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071594387FC5027DFD3F1D0FD4B5718F,SHA256=2FE17F1F391BA0718E7A51C2FBDCFBBA96D57FA7FB24B1E88ADA04D164F0B76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324175Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:21.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC5ADE9E11565CB57C1393E4D29266B,SHA256=BE7DB4DEF62AD31F512A143309965AF07183B58D0C6F754A62C51CD133EDA937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.608{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.608{27B459FE-5AC4-619F-0C00-000000000F02}836100C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.608{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.608{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.608{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.608{27B459FE-5C04-619F-AB00-000000000F02}43361316C:\Windows\System32\sihost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.452{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.452{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000371091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.452{27B459FE-5AC4-619F-0C00-000000000F02}8364116C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000371090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:22.296{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6C4113D25C73F5DE82EF48AB1221D3,SHA256=32F9AA1B3EA89F641AC1373BA4D11820ECB049C2D9AA0CDB6A5B72D77E86BF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324176Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:22.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1985E5620AB35228DCA3505273FFA1,SHA256=E9002F4681587A374644CBB6E476EDC3CDF672453E44A36B8F4005FFDC52F22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.312{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A75E5B59068BA6D624196ED33F3F84,SHA256=3BBD2FB8DE0B074295FB5AE5ABF4A43453E78C986A162EC23913A1DE90A558FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324177Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:23.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908466AE6F1D7273CA2D06A0012E1470,SHA256=213DC5925C4DB069EE873876CE7C8B54068E9631C34A3157146420A7B0F8BDF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.249{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.249{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.249{27B459FE-5C05-619F-B200-000000000F02}47484848C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.249{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.249{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.249{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.249{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324178Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:24.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B920FFE600E6AFEC05F38FACFEF60914,SHA256=482DBF9D18C250211B1C9CF2BAC6629B79F92AC6131367D56B1DD83AC80A6A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:24.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF85C6E94F243EB5D1FD6F756026ED2,SHA256=EAB1428EABCAF2A8922AF28746C6756CE0DCA146E89A2BBBF11C4D6D999876D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:25.546{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494EAF68BD1D44DDB0E37704308A898E,SHA256=70F97B6BB7AFDD838DA0F6C08CC617EC8268F1754CEF0B7FE1861774A637503F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324180Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:23.831{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50024-false10.0.1.12-8000- 23542300x8000000000000000324179Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:25.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA4A95665C11D4233282E000B8BC6EA,SHA256=CE0FDB2AC7994B0D1516659551F1D97D2B341FB1FD8A907EE4CF020F655229E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:23.184{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:26.550{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7C8016BEA3A1775CCE8EDA3025F505,SHA256=AD2ED1420BCB6DD82F1F41E1BEB15F48086E852443CB28C2105C5060089D2BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324181Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:26.180{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87807F17EA41ECE6A63BBD1CF9C06C55,SHA256=461C6EC9FB554F4670846C13C428543265E76C92F498FB923B6D6F3D09B27987,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000371112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:07:26.393{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\temp\0 23542300x8000000000000000371111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:26.271{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-022MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:27.626{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2901673EF934BC42BCFCF03621241331,SHA256=AEDFAB97D5BB99A7D4B3029BC88C429233E8B9C642683DCAD25295A58EEB1DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324182Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:27.196{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF448DBFAAAADAEA6A1EA1128E18C1C,SHA256=97B7D70F603A6C09525F3642A6C5FDF64C0336433FAFFE8DA9D0CA51B6F03BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:27.270{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:27.065{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1098B95E72D7FBDC8DCC3FEA6CE5E6E,SHA256=7EF2113D8E41501645549E9BD4838CE94A09A59D49334AAF57CACDD54EBF83D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:28.630{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FF9115FAA2E295B3709B40140AD357,SHA256=32CFED4B22B312EA23685292F8F86AB2C979905F5CC616D6900BE61DFEE79DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324183Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:28.227{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EC27EDAE59034DC2DE92E0C9D31973,SHA256=52FA0D1E170E45B374BA02EDADF1F4F38BA0245170BC93B4ACC2147F442B4CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:29.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF589478139652831D8EF57FD5F66726,SHA256=6754CA3DE7937614E03CF2CD8C8537FACF9CA901AA7C0AD080F829931505197B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324185Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:29.383{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=56FDDF456262A6100EB96988DDD0D17D,SHA256=77E29F2488ECE9E98CA22CA3D302C903CBECF82669F8B731DEA4184F430A631C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324184Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:29.290{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ABE0329B167F25AB3E58FD65A449A7,SHA256=F98A5759A09EE83E0140BD245AF3B713605B9A99519E7880A8FDE3E17F0BEDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:30.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C129B4F18A74F10864D216EBAFAF402,SHA256=3D74ED1584E421344EA570A87B0C4C384586776E05ED777C7129256D3B75917C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324187Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:30.290{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324186Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:30.290{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DDF3898AEB64103432BFCFDBC81378,SHA256=D117859D7A6E30D31A44166A1B1D0156DC55ABD87EF4E94B6329A4E9D07FA157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:31.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90547CB2EB13CB69312842E91DD2A823,SHA256=86CEC14AFDDC2E66ACA170CC93BEF6EA2E7A370AFC4808A8442D3444EAB0D7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324188Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:31.321{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF92F49AFD07C75EE7A030AE5A6D411,SHA256=5B035638F6BE38BEBF11BBBC04A0B89AF67939D5AC1BE81C2D342789FF27AD93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:29.064{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:32.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C544EDD055CB6AB69DA516FAD468884,SHA256=E50D9842D846BAD9B5DB578827D4C6F678C9F7F15FDDDF4758456AF043B6B073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324191Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:32.336{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93ED3D2C7FD81BB90FC4450A0762A5D1,SHA256=C63E62DB8B8AA54FD2F4D1B36DCD575D27E87B053417A10B6929778137F0B03F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:32.583{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5EFB-619F-5301-000000000F02}5944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000324190Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:29.862{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50026-false10.0.1.12-8089- 354300x8000000000000000324189Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:29.674{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50025-false10.0.1.12-8000- 23542300x8000000000000000371124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:33.661{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA9B804030351D7B5D695AFADFA75BF,SHA256=9C9C2C7FF391363B6815FD02DD6FADB0FD22C6C05CD0D3468D938DFAB43BE0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324192Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:33.368{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D34DA22D4ADA5A46F5EB3A1640D146,SHA256=F819C47C72AB0234F6D848D10FB2D36F73E2FC5C17C412B9489F0282C81A31EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:34.661{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE9DD03AFA004B589938AF32B5D4A01,SHA256=C9A5BA79D081DAC8E4F076CCA7C282BA3D12CBC2E3081E454DE71140B6E70750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324193Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:34.368{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2015E7862D5AEA6B3DE079B7400A9D00,SHA256=E7898F2E0FAE037446DCE9C176EE7CEC73321F3B706157F1458A62E8ED3B846F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:34.458{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8B5A761D8C1138C99C52A6EC766CDDB8,SHA256=DCFEC46E489289CCAB749B51F7CB99AD2D3FB9D1599694D2678B90EAE1FD23E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:35.677{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC0BFE4287BC29EE7ADDA78CC926BFF,SHA256=2B5DF43BD7B164B723A52531997E866931B59781B6190CDE59DB0657EC77D14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324194Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:35.415{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04460C4FA14E2DF006805F85F2CDC786,SHA256=9A5F114B4AF8407C234FE75C513559D5768AD335F8DE3A18454CFCF81E5F0958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:36.677{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BF05ACA251C226732353E3A6239205,SHA256=A8BF5DB5184E5861686C5CEE9945C4F359CE88EBC363630D8B294EFF018556F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324195Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:36.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4905FFFDB1A1688D9A543631DC31A20,SHA256=4A11FA3CD2B0A5DCEA7AD793EBE5D772A1F6A5558E9BCCE44FCC4C4C29EE459A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:34.142{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:37.677{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950FD728B85923BC7B83B084312EFBCD,SHA256=00AE9A2690A4ABDEB4FB46412EECA303528E519160942F203A7326E08F1FD06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324197Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:37.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607463F4FD79006ED904EC20BB6CFF82,SHA256=EBAAC550CF2E9EF03734763E3960714281A80739220B7F4D524C8A7D47F14221,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324196Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:35.659{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50027-false10.0.1.12-8000- 23542300x8000000000000000371131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:38.678{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F991C8A056C645B2C793DB7B087857D,SHA256=EC06B65914C551ED1E825F38F1B741D3E034EB24975A4E1FE718979A33D4C8FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324198Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:38.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F870594882A859F008F5B03670D3486,SHA256=56D8A9ECC5D49CBD10C0E04DF4C7F7AE72FD447FF54D16CF53E716B6C42C2F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:39.707{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D924EAAB3B626918310BFB63FE7DDD6A,SHA256=66AEFD045AD34495194D31C03A4B8F493AAE7483233051862C0336F56F3F12FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324199Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:39.430{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F87D64D757976DF75452B7D5D6FA5A2,SHA256=22D3F3EBA79D5A3E1D8DBF889DC9370BC4F7A6224EAE58AA15DB9DFED2A9B7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:40.707{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6427EA513E63ACABC780DBB9D5328F3B,SHA256=B7AA8A858DD905F4CC5E255FC3A8C39FA751BAF14A9B9A81F60308DCD00BB45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324200Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:40.434{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984F03E235A094DB4908F95EB026E7B9,SHA256=C2F9E72DF69FAA64569F4660DAB14A09F5FBF641C9925148A0F6F9462A03CFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:41.707{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CEFAF28DE3FEF1CEC14B8C91B65DDC,SHA256=294DA59AE652385701D08ED662DDE231DEBF83DFC69663E8620C73032D132CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324201Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:41.450{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB961911DCD4995BC3BD00140242212,SHA256=7760FBC44983546509D72AF7C56BFB0B3F85ECA17A460C38AD09A772AADE04D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:39.157{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:42.879{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB1087BDC6B097059A9EEDA304735B9,SHA256=47A7025F22BF675B143DB8FA2F0AE4F1F0D440EE2ABAE8AD25C28635BACDCF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324202Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:42.450{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F6050D31CBF8B5288CA51E37F84E22,SHA256=C988B97B8A0BCEF6F0A3B1F6A98B8BD76D9CD8144E3B53E7CC5F3601EC884E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:43.910{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93898F0527D68094072E8622FEB0B197,SHA256=153C48369442FCE82D07EAF3DCBE44CF640927D39B8AAEC48EAB49DF5753375C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324217Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-606F-619F-3D01-000000001002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324216Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324215Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324214Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324213Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324212Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324211Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324210Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324209Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324208Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324207Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-606F-619F-3D01-000000001002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324206Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.621{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-606F-619F-3D01-000000001002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324205Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.623{99D2EDAA-606F-619F-3D01-000000001002}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324204Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:43.465{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBED6C957137A84A4AFADDFF08AF026,SHA256=A2C2B44E024E434C3196A5844191FA3D73EFD1F35F0EFF61466BEDED30E2A323,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324203Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:40.788{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50028-false10.0.1.12-8000- 23542300x8000000000000000371138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:44.957{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321FFB9BC164F32CE3411EEBD11CEE83,SHA256=66B8724DB5C0A8C362FAE0EFEF2E6A4FBA6F9A12EC037D16AF9D93BF290A780D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324234Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.840{99D2EDAA-6070-619F-3E01-000000001002}36563100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324233Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6070-619F-3E01-000000001002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324232Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324231Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324230Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324229Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324228Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324227Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324226Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324225Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324224Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324223Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6070-619F-3E01-000000001002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324222Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.653{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6070-619F-3E01-000000001002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324221Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.654{99D2EDAA-6070-619F-3E01-000000001002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324220Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.637{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070CEAD547C8675749E4F2C744F48954,SHA256=8C7E50BBE1B2AA44AE8EB3658338156760117DE2D1DFD9B415130C6A7E8CE6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324219Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.637{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E43B62D2D7071257038DC6046741DD6,SHA256=9FA4330D290509A71820509688F2DC2FBF101F17CAA9977EFB811DFAF15CFAE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324218Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:44.481{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64F913855290B502C3617A3849414E4,SHA256=94D25A157C1E04AE501C9D40F45640F3EBF6208E155A03DE75F0B264A35CB6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:45.973{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ACB73F2DF7AE43F9DE3DCB2516E2C3,SHA256=CD06F8EDDA20999BB6F36BE0F26C5578096D802B2AFD20C5C6BE66103BE18F15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324249Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6071-619F-3F01-000000001002}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324248Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324247Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324246Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324245Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324244Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324243Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324242Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324241Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324240Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324239Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6071-619F-3F01-000000001002}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324238Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.887{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6071-619F-3F01-000000001002}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324237Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.888{99D2EDAA-6071-619F-3F01-000000001002}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324236Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.668{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070CEAD547C8675749E4F2C744F48954,SHA256=8C7E50BBE1B2AA44AE8EB3658338156760117DE2D1DFD9B415130C6A7E8CE6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324235Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:45.512{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D087F8817F0AEE63E8EA9C2BC6C64E,SHA256=EA6342B8A04D2A8B84CAABC6C04362ED4C5C37A965E132053311EAC95C4AE522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:46.988{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADA6699DAD3312223B65635BEB38B07,SHA256=CFBEA2BC0D1E74C5B8AD47369AE5A9A94BC239233634AC9CC44522DD77620310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324251Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:46.887{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DF170EBC4240B85B8DCCC52F9EB4EDD,SHA256=FCFF4B343B38765D43E5DA019CFB64BDB862C803FC70AC1783B0A7D5D61D2C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324250Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:46.512{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA50E29769F64152BF981B3E686D1EEE,SHA256=6F35BC6607C6053EA68AD20735AF3806965A1E129D9397F8ECF010C4B3C81109,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324266Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.685{99D2EDAA-6073-619F-4001-000000001002}22402896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324265Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.543{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9896FC412B5644BD1497F23F2F3095A,SHA256=921D58BDDE2315A242FC153ADA5CA97CA58E88530FC975C42C2EB7558E68AA5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:45.078{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000324264Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6073-619F-4001-000000001002}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324263Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324262Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324261Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324260Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324259Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324258Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324257Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324256Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324255Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324254Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6073-619F-4001-000000001002}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324253Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.481{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6073-619F-4001-000000001002}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324252Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:47.482{99D2EDAA-6073-619F-4001-000000001002}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000324283Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.794{99D2EDAA-6074-619F-4101-000000001002}96712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324282Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6074-619F-4101-000000001002}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324281Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324280Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324279Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324278Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324277Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324276Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324275Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324274Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324273Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6074-619F-4101-000000001002}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324272Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324271Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.606{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6074-619F-4101-000000001002}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324270Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.607{99D2EDAA-6074-619F-4101-000000001002}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324269Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.575{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA1863566EF482BD59DA92F57D408FB,SHA256=1D114A5803EB421D1652BA63531F8F102DC580284CFFBB732A6E5140E19AA133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:48.019{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC98CF7EA083BFC6E943275FE5C7B240,SHA256=5E8A9BE06BA48EDDCE99022214B9545422B56678857E867489E1F0634842B715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324268Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:48.496{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D202EE064B98127FF6F2F8F5223E86D,SHA256=E0748DE9165EA076664E2C531A56EADDCA9035DFF6F57FD1AD52D0766D45F528,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324267Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:46.709{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50029-false10.0.1.12-8000- 23542300x8000000000000000324299Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.950{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6E8017801ADC7E9089948D519F60E7A,SHA256=80D876A62D187127CB45B21A07CA15B703E10A1780C6F2A8E46982D95C4EA84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324298Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.950{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FD2CF128EF15E8E5061B89139B0BCC,SHA256=F9D2601CF5C5AECDB12C440810CD2FE89DB8F7B1E4DE7C4789E2192A04C2A6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:49.019{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F24D1D6C6389FB3A697E660DE393DC5,SHA256=28C5D33CD446183294405A846B79C3475855F99B473D6FC15AC641B87AFC454E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324297Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.496{99D2EDAA-6075-619F-4201-000000001002}19121916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324296Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6075-619F-4201-000000001002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324295Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324294Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324293Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324292Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324291Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324290Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324289Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324288Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324287Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324286Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6075-619F-4201-000000001002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324285Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.356{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6075-619F-4201-000000001002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324284Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:49.357{99D2EDAA-6075-619F-4201-000000001002}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324313Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.965{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB359DA8E251EBF96B1E8D4A57788D25,SHA256=4DD81BF7ED3B987650F6ADC5472790C3F710B62DC79AC198416193ADC0F5ED0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:50.019{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FAA365D891953610AA9782229C2DD4,SHA256=6757AA5C0F847FC644FCFE75880D6CE1DCE85475A1B0A0498FC82F526426E3A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324312Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6076-619F-4301-000000001002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324311Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324310Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324309Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324308Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324307Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324306Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324305Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324304Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324303Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324302Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6076-619F-4301-000000001002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324301Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6076-619F-4301-000000001002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324300Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:50.528{99D2EDAA-6076-619F-4301-000000001002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324315Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:51.981{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810B663683E42B7F02AD12B1C023D023,SHA256=AB14AEBB653F2C117A59CD2C0E6CD36C41BD2ED0474D86EE83703A95215B328E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:51.019{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6F68943BB24B3983CC93C935FB9DA9,SHA256=7B99BE15CD79EB246C79263359D54369C57902849D30FE2085BE6667832979BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324314Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:51.575{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DD941426C8AE560F985D42A87AE5AD,SHA256=AA75EBAE7A222E445F8234DC4A9E655797353A8893A46D930A760B4838AD1EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:52.035{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5FEE036442B9B4B70DBACF07C67D5F,SHA256=74A32E7E13E8024227E5BCAC8F24F3673A4A0DA38BC9C029C84C3F3EA7883958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324316Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:53.090{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EF6BE8FE65E9FB9D971F897F689D96,SHA256=4353B09D3984A5979978CC769BE268578D05A0702441A1B40E7374DC91E109EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:51.063{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:53.051{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4ED522BBCB3B21CE4F9DFC01A5CEE3,SHA256=C59EDF003A5B48B83B6F2E1409078C5B4FA5D4B823406D35877A310745AEC8E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324318Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:52.616{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50030-false10.0.1.12-8000- 23542300x8000000000000000324317Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:54.106{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B66D6EF0717352D7EF5B63F797EF743,SHA256=48E61D6E22EF58D92EB64F4AA657DB9A9371D3DC7CA458A9CCB38EE319DB1814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:54.066{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FE9BAB10110463E4327599718C497F,SHA256=A6B33886D4A20D362FB414D825B492CB1D28639FA0403DC1B51000439184A014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324319Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:55.184{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B5B3530D7E573472F35F6358E74043,SHA256=794515CC1452BFBA0A28D607EB7F37A0FBACE3B4DF29D81E327822FAC313CBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:55.082{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97050E47D5996633E97186C0B241BE1,SHA256=3EA1FD71371D3C0DE938CBA4AE25D24C9AC6561B8E68EFBEF3D1A4F8B29DB9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:56.129{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634040EE437709204CA814F10BD47AE2,SHA256=86C7C297A58EE66DFCE1DFF0038C0D1C2C10F03DCDAD99CB37D5713E36FBD02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324320Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:56.200{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F3575FE0D8D7C9036353A07E2A97B5,SHA256=D80DEBC3E5CECE8EE18CE74EF95CB34455D8EAE4A535D10A52FEB5BA498A6839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324321Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:57.200{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE170B02773C32B408D3ACA4D1A6993,SHA256=342C5450AD95E50AB677781006C8B3F092BDE6850E88985C0B9FC878ABFFCEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:57.145{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA491C2D9D09E4192A13B4407EE3B4E,SHA256=7A6850B71036A6060E5731EF507B944851900472DB16EF3AD48B8D75A9BD1C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324322Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:58.200{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0455B120ABA6FB733DA4CD07D8932E,SHA256=B0492647E3B55BBEDACB25671C315E76FA8338829F70E1A6A5ACD25F7F5AF74C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:56.188{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:58.160{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF7B7015A8CC625867883D7B9F4FDEA,SHA256=EF05E464C0B32998DCE00E7A09E9F7D631C2FD5AE619CEA7F12684D67C27282A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324323Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:59.231{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A720C9D249D36F3283801052690B73,SHA256=A34CDA22D4C5D99EFD6FB103A8F1230BDA792E37153B94402A7C9308A214FD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:59.176{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903D24DF7F4DB2FA6F8DE50FBD060F36,SHA256=21305E2C85222AAED7A5781BA529ACBAA7A046E1BD75A5DBEB4A1E99E9F941EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:07:58.117{27B459FE-5AC4-619F-0F00-000000000F02}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.147.142.196-53204-false10.0.1.14win-dc-266.attackrange.local3389ms-wbt-server 23542300x8000000000000000371156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:00.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA803B5B98AC4884E66C529F13D2139,SHA256=2F6CEAAABF3160E6F0C427D816CB04961E2DB2A4146C163FB413FFF92E2FFB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324325Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:00.255{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE79051FD9EFF0C383E957B3FE6A36B2,SHA256=643630BA5BD6C984DACAE1BC51986C0E4606290F0CADFDA8A67F406D01411675,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324324Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:07:57.819{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50031-false10.0.1.12-8000- 23542300x8000000000000000324326Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:01.286{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEAEAAC23030A2A7D4FFB5BB04B226B,SHA256=DF8330E5E19DBBCD476248C4D8C09C478B3E9E995BB15202A52516B158F309C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:01.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4829F5812E1A15AE1C8C690F63ECCFF0,SHA256=EC7CAF94F8FB0CF6E6C9EF153C64757CF781D91601DC146878E6FBECEB26F037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324327Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:02.286{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAA825FEC26506175A1CD26068E19F4,SHA256=361D63B0EAD7AF677BC2A608274558952FE276B50D4DA04BF0F05AA38623CE42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5CAA58017F917472741CFFF31BD0C6,SHA256=185808ED6F324BA170753B2CC22DAE818446DBB8262C26CC61E3E8853AA13960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324328Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:03.286{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83285096FDB0EA2BEFEBF3338CA9F14,SHA256=708AF2B60855FE255721778F4D4BB51B0F03963F23673978FF67AD46096640AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:03.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9300D30030FC3D09FB6F1EC7BBA28F97,SHA256=E1664AC777C394A838508B5EE7BBCB2011D177BE7536F296B52E1B70B4CE5BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324329Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:04.317{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F778F73A0DDB3F13187582F8B2C9AA9,SHA256=3D41943B1272F1032CEE05D00AA4E563CF26EEF28202A4AFC7F01E5963A76B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.684{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=767B7940B59B826CA63AB09D46091735,SHA256=D1D454788E4BB162EECD33ACAE7ABD055904D489C12A37A16177EF41A7B221A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.684{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ADB519E1D85712BDF4F7933A03E132E,SHA256=A4DDD4C9A6ED7BDE97F664E731E7343AD68097F113E46348124FA990EF618974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.434{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6084-619F-8201-000000000F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.434{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6084-619F-8201-000000000F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.434{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6084-619F-8201-000000000F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.435{27B459FE-6084-619F-8201-000000000F02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CB67E9D5BE26273429B11B7B4BF5F8,SHA256=4A9E7DAE2B60EE388DE2768A204A18B74893095C2F45B2ECDEF8FE88FAF5650C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:00.899{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51044- 354300x8000000000000000371162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:00.899{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9800:84d6:7a6:ffff-51044-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000371161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:00.007{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-49915-true2001:500:9f:0:0:0:0:42-53domain 23542300x8000000000000000324330Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:05.333{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE94296A1ABF5608563291E7B79CF34,SHA256=305FA849B104ECBED4F9E53A31D2060ED6AF936DBF9EB647D132DFB252AE6180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.497{27B459FE-6085-619F-8301-000000000F02}53326052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.278{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6085-619F-8301-000000000F02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.278{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.278{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.278{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.278{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.278{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-6085-619F-8301-000000000F02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.278{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6085-619F-8301-000000000F02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.279{27B459FE-6085-619F-8301-000000000F02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C1BD970E56B525CA0C9D7C347DEC54,SHA256=ADC9D1FF19C748CB28ADD89430A07EF453C384B3B0724CB1C25C8FCDA35B9E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.665{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58937-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000371176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.665{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58937-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000371175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.213{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000324332Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:03.765{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50032-false10.0.1.12-8000- 23542300x8000000000000000324331Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:06.333{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0E37C6137233ED3701CA110C1137D0,SHA256=A09A4F36CCBBAD6ADA0494574B1B2318C4285D3F625F16F10B28A6F50AD0D25A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.434{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6086-619F-8401-000000000F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.434{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6086-619F-8401-000000000F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.434{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.434{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6086-619F-8401-000000000F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.435{27B459FE-6086-619F-8401-000000000F02}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.309{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=767B7940B59B826CA63AB09D46091735,SHA256=D1D454788E4BB162EECD33ACAE7ABD055904D489C12A37A16177EF41A7B221A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:06.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E143A870FFC0767DEF37A7AA9140AA96,SHA256=2B480CBC48361A7273300974406D2A6E39A58E6B684A9F001258CD0781BE32F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:03.414{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-49915-true2001:503:c27:0:0:0:2:30-53domain 354300x8000000000000000371191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.932{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c870:f0d9:7a6:ffff-59974-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000371190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.932{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local59974-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000371189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.931{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53257- 354300x8000000000000000371188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:02.931{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55890- 23542300x8000000000000000371205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:07.606{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6F3ABA7609126B8CF13CB801807095A,SHA256=5734742E1A4A3BC6E4355D0C89F6788E73234D9AF3217D34E41A6B5C540EDA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:07.247{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C495282410D2985AE0F62478CD24F77E,SHA256=3D0E3B9BB31DAB1DE7B0DFB6393187432B44332830117B5D48B543E82BB22D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324334Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:07.681{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-023MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324333Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:07.335{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B374E4565388930585A38768961B85,SHA256=D5916D112A8D1C5D056C4454F2C2D828E8D43A6F5DF185397E56D4AA3D78A830,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:03.918{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-65420-true2001:500:2f:0:0:0:0:ff.root-servers.net53domain 23542300x8000000000000000324336Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:08.687{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324335Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:08.342{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9786F7ACEB113ED430F42AA469263C,SHA256=80DF4486D24718B5B92AD064312269C9D9EEDC29E524A6A3473DB783AF9D09B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.825{27B459FE-6088-619F-8501-000000000F02}59004556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.575{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6088-619F-8501-000000000F02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.575{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.575{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.575{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.575{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.575{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-6088-619F-8501-000000000F02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.575{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6088-619F-8501-000000000F02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.576{27B459FE-6088-619F-8501-000000000F02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.262{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E8ECD04AFD24C4AD671E810B189DEF,SHA256=F130343A4D9C0F432040D16A945C87F8E8DC460825FA2C7E08E0290D39326E7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:04.931{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55195- 23542300x8000000000000000324337Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:09.343{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69316CEB4F2415A27CF22B71F083D27C,SHA256=6EEA34B1499CF8A5ABB08BA35A420BD8D0A3CA83E9EB65407450C553D4E96312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.747{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6089-619F-8701-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.747{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.747{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.747{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.747{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.747{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6089-619F-8701-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.747{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6089-619F-8701-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.748{27B459FE-6089-619F-8701-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.622{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CE3D5225A1413908A85DDC43CD36AC5,SHA256=8D2DA42A049B43E1B69C5E5846E2E519288DE7EE1C677E95FCD964054887947A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.294{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CC067D98DA45A3155F48A1D0D4F947,SHA256=277F90D22D75081C83D72A816057509BF71B8A2304A5B03F3C752D8DBECF8ACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.278{27B459FE-6089-619F-8601-000000000F02}27161896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000371225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:05.962{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local54983- 10341000x8000000000000000371224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.075{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6089-619F-8601-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.075{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.075{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.075{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.075{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6089-619F-8601-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.075{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.075{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6089-619F-8601-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:09.076{27B459FE-6089-619F-8601-000000000F02}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324338Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:10.343{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88848DE1B7A8821D9F04D4D35ACE6E4D,SHA256=635540DB3B9F94DBD6899021C0A0BDC2F9242388A199BD354AA5CB58F5356EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:10.981{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57D708C2C2E0A3B8027810F44495F8A4,SHA256=51C7F678BCA0869546026DB430DF0C02EC65B2F1EC7B1E9B59DD9D55FDEEAA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:10.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97F1DF07DB67BDCBF94F0B9E481EF06,SHA256=52D4455D8952A28F4CCA3E80FCEEA37D67B65AEAF2EF10D7004CDCE400156B73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:10.031{27B459FE-6089-619F-8701-000000000F02}56925752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324339Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:11.343{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4259343CEE32B491356A60B529B6F21D,SHA256=D98AC86E7E91B24B1B15F1FB7C110012F930EC4C00F79F5AC5C51DEA4DA0D2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:11.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C973FB4053F4B7451B6E6F31017D681,SHA256=FE7E9D0D4B051E25705D2443098674747255CC6E8501AF794F3E69E70F1DF59C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:08.103{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000371241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:07.946{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-49915-true2001:500:1:0:0:0:0:53h.root-servers.net53domain 354300x8000000000000000371240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:07.946{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-49915-true2001:503:ba3e:0:0:0:2:30a.root-servers.net53domain 354300x8000000000000000324341Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:09.713{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50033-false10.0.1.12-8000- 23542300x8000000000000000324340Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:12.405{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62613363DD96000851959F3AB446455A,SHA256=CF2FF61D2D81736707F043F7A9BF4BF09D8A86532F46CBF48608CBD74A6F8429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8961C23709D88F7DD33D25E03290062,SHA256=C656387421BDA5AAD51146202E804C85A3F5A9D5B3E7AAB982453A8F8AF23BCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.137{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-608C-619F-8801-000000000F02}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.137{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.137{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.137{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.137{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.137{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-608C-619F-8801-000000000F02}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.137{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-608C-619F-8801-000000000F02}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.138{27B459FE-608C-619F-8801-000000000F02}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:13.559{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=261D5DB998F3EBA394092A72382F8F88,SHA256=698F3AA0EF22EAF5B25514DB491021F325597A355CD18783280560C95287F495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:13.559{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1BF20BF563A36D42C43E170FF9923837,SHA256=5EF3984F74C1E6561B277D31D7FCFC21BDBEA89AEB8C0DD3661E9C53231DC6D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:13.309{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C792EBCB72FB5B674A29C546FEB94A,SHA256=B38E3C75B6042BE4D450419CAE630CAE036CA64156897135BFCCEEBB8917F376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324342Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:13.405{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0CFE46DA9E172DA33209E052C5D7B,SHA256=38BFF1860D80BD74054D40C14E58C2B5840CDEA5A9147BB0E37D01FE3DB3AB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:13.278{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2014C5AB60291CE2368161B69077E039,SHA256=6D8290D8DC72F6FF500FABFBCE1B31E398764A3A3E9CFBBC07EACA7DB320399D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:10.056{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local51045- 354300x8000000000000000371253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:10.056{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local51673- 23542300x8000000000000000371261Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:14.778{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:14.544{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C917A03EF3A103967A2B1BEF394A0B29,SHA256=4D4680FBD285C889496510F322C4F153D0BDC72918C8837614742C718D47E83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324343Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:14.421{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B990A603966D78444D1391F1E9EE2A,SHA256=E78E4CB60050123FC740B0D6BA705AA3F80F3731AEF9A2E5F4F3FEF255D9EAE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:11.571{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-51044-false127.0.0.1-53domain 23542300x8000000000000000324344Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:15.421{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1930E1C5D3438A5F668EECC5DB2DD378,SHA256=70BBB6CD3A122BB6A905DD6A0F2F40527A41335C3E07D3C018C848BBDB267B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371263Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:15.560{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDF86C2AC929A0CAD165B621AE0E92B,SHA256=58C36C430FEECAB01FB7DC9B73701A624D782534ECAE9AD2DC0E0C419914EBC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371262Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:12.477{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-49649-true2001:7fd:0:0:0:0:0:1-53domain 23542300x8000000000000000324345Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:16.421{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA0EDBD32DD5358E5DB04A5F3D09BA4,SHA256=E15EBA23F65AFD0E2D8232459249CC62CF35A249C0BBEF23BD6694B0F76A42D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371266Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:16.591{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8751FDD765B7EF8D4FDC1F3DF762882D,SHA256=46509F4002FDE2EDFA8E308792C803C75DA0F0105A11593857B5DE2D29912856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371265Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:13.790{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000371264Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:13.228{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000324347Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:14.775{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50034-false10.0.1.12-8000- 23542300x8000000000000000324346Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:17.483{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D92F722B0C565ED0EDB02762B8367C,SHA256=1D0B17B9E0F3127DD734F380895E1AC03626103B435E3C7B842B064D72B1FE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371267Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:17.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6746EFB8D7CA7E36E6CC9C0C75DA3B,SHA256=B97AE658CCA1BAEEF83E12550FCE3E42B7276DBE496A645D03382CA83B5CAACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371268Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:18.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6050E682A447CA195D7EE0838E714EF6,SHA256=2CEC56EB1F28DFEB2F96A0DDA3D0AFB1602B2EA6A372FB6B1D60E68AAB3E5FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324348Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:18.515{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E1D85E1D8956F4CD27391BE8399F48,SHA256=693104E0CAD5498ADBCB0F06210E83FCF290EC9C3E74055627DB7CD63F0F4DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324349Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:19.546{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44295A6B3B699DFD7D96913DD253B760,SHA256=13DA3051F220F6D18F980D12DB7367889B4A6ABE1221BFF84BB8E99C555EE15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371269Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:19.673{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24C6523777C649939A9A82313B11EA8,SHA256=F9816D96AE5399B91A1F17A85828BC7B7BBECC3685B2406426E366C59CBEBB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324350Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:20.556{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C83BD6FF594CDE4D7252A2459864AA,SHA256=ABAD0D55209A675B9BD1A79AA13E0EF6F3DDE4A7450D2F15756DA2981CD91C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371270Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:20.689{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5039127C5B1C96CD711FDE1974FCE4,SHA256=EE1DC0CB18CC8B2F76FA2031E7B2566AE7BA0B1BC829EF56C063CB1F8205867C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324351Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:21.571{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3ECA2EE108EB82D9B185CF4FD427BE1,SHA256=F95A9D4509361849EFA7BA592CD1914D8DC179FE521E42C60DD40DA2E0D11CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371272Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:21.689{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92179FD74167AB96AFD1F6289BE292D,SHA256=C8BFA3CFD049DFE5F397D89DB7652889C79C992B739F7250DDE7179B771C80AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371271Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:19.201{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371273Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:22.751{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF96D8DED3521EA2CFFD81F8019EAC8,SHA256=C8ECE6A5B53D509D66F9B85CC57B5D1E3919BE3C62552FFF0232B0D59184F657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324352Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:22.587{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917BC4C05532ADE008C531B33CBEC2FB,SHA256=039EB951652BA25AC2030090FE505A9B0B54329294CF86393D0D009CE3F05FA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324354Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:20.707{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50035-false10.0.1.12-8000- 23542300x8000000000000000324353Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:23.587{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38E13C823577D1E5F238C8A00395774,SHA256=76880B87FBBB9B055CE27B587FC0309A302F0243DF68202734455ECAA65A1556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371274Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:23.767{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03F4B4F82F1D73352D662752841824C,SHA256=1960D17D6033ACFBC4E7428B780B0529074E6D1CE69CF0663878E80081987D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324355Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:24.603{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8F394DAF1BF9EDA6C4BF31441FD4AC,SHA256=A7CD38E319470E9C44FB92ACBDB57605E6F47E44B03BB8426115FDC2239FB143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371275Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:24.767{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2414D376AFF5DDE81678906C5905A864,SHA256=37FC863178E7924AA5272D106614696C166AB06CA2649DB09C2E2644EE19445D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324356Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:25.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B783973C317F751D03D99A3926ACD303,SHA256=24B68390B325ADFDA6F5AA42B4FD4FBC0A297FBA724AD730CA13563C5A8EA674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371276Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:25.767{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BA4D72D162DCC4E1A460AE513E7CD4,SHA256=88DA3C6EC75CBB34981F7DF94C5D4672C93B0EC8793C84355AE8999C2DEDB617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371277Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:26.814{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F570F3AE139C8F9F8732810ACDECCEFA,SHA256=B028F0F38DA438FFA6D5ABC634770F51FD41D9C8C93FFC2B50BBC5A6674F0F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324357Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:26.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A57BDF9F4AA34F65EAB04EB28BC598,SHA256=E86812F61DD56A68CF039361AB62CC5EB6B5141E6CBD7A6BB2A44A9608D9D51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371280Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:27.818{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACB8E1B6959264626E9A10C0FD52BF8,SHA256=B807C4D07581EF58327AF901C708FFC28FEDC63AD995ADB540686D13B915CDDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324358Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:27.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24FD3508852D42ACF23AB7D92473A85,SHA256=37230DC128369E17656BD02FF0A2B258F1D2C7A88C3E2B150603DBA42C168A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371279Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:27.804{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-023MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371278Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:25.169{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000324360Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:25.816{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50036-false10.0.1.12-8000- 23542300x8000000000000000324359Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:28.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574354952A993D0A56D37B2A7B8B8848,SHA256=66EDFDEAC2D63460D1BFE1A25057D6116F33BBE3D977464DC1F17415378BC4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371282Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:28.832{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039B86AF0FABEB2504721B6A1A7211CE,SHA256=B3BECFB20A2A7454C4AD3DF359CCDD32F4C72047A71F9449FF691A5CABB77AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371281Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:28.803{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371283Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:29.837{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B7011E084D8FDF7BFE96C5A9864822,SHA256=E3CFBDCA8A1561D4E8B37EF6F2E0DF3FCB3ADE9C511A581A770EE8FA4CA16D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324362Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:29.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB41F3A9678B645EC16D247606968F51,SHA256=37EDC93DE12B8D477E9807CC0EA0103DE790FBF83995FC0305CC62EC89309BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324361Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:29.384{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=67B536AD61075DC36A80055C43A1BA0B,SHA256=7D003F7E79B117FCD90EF960DDA08378AF576426D2C1940756BA8ADDC4209E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371284Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:30.852{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74302DB06C9374C05ECACD5313AB7BCD,SHA256=CB120CC613F4FB483A20CAB9EA75EF87CD00F90352E30ED6581F7513B0DEB6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324364Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:30.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE709EE682A08547C0B34B84BB6DF306,SHA256=EC20170924D1FBCE1A732CE559874AD8A9A82164C4BFF677B75723577AA2F3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324363Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:30.306{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324366Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:29.879{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50037-false10.0.1.12-8089- 23542300x8000000000000000324365Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:31.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F9C22FFC76F3E8580A38C0260AE3F2,SHA256=B46DE2BE520D0D3A18A2EA23C055A1B6677BDEE969B8AE397F98D90523582460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324367Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:32.619{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71B7B1EC64C5A11DEFF67D86D7B0F17,SHA256=0C96F42F279B6BB227AEE734DE6CEBA1BDC1FD15CF208682137FA558A03AE490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371285Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:32.055{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E069C3780514AE354D1AE3BABCD991,SHA256=EE876E51131C22982BA83A272B6CE5CEC6D87C9089CA4419F0695C93CA7B6700,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324369Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:30.832{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50038-false10.0.1.12-8000- 23542300x8000000000000000324368Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:33.629{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E569930F3873F43CFBB5F0EFC3C3CDF,SHA256=D6A78FC02BB196E4361B1623158EDAB36C5A7CC1C3F43A0C9ACFA8E848E72F69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371287Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:31.051{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371286Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:33.055{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F420AA13C0A7D95188241EFAAED88577,SHA256=6FF0B9424B80AE6C30E5DB978F153CD5F941CD0015CADEF8564E6F8204B889FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324374Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:32.433{99D2EDAA-5AC3-619F-3A00-000000001002}2620C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50042-false169.254.169.254-80http 354300x8000000000000000324373Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:32.337{99D2EDAA-5AC3-619F-3A00-000000001002}2620C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50041-false169.254.169.254-80http 354300x8000000000000000324372Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:32.302{99D2EDAA-5AC3-619F-3A00-000000001002}2620C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50040-false169.254.169.254-80http 354300x8000000000000000324371Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:32.301{99D2EDAA-5AC3-619F-3A00-000000001002}2620C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50039-false169.254.169.254-80http 23542300x8000000000000000324370Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:34.630{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F68FE5E47A69DDAD9AB49396A1707D,SHA256=5D1FF91FBA382066A19A28AB7B947BE89D9301FC39A86FFE4329135DB60EADDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371289Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:34.462{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9A4C741262BCC352E6FF52A49AA4F608,SHA256=85F9A0BA1B0EF92F9308192B88A2D63D76400AB4918021755BBF9F8273C885BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371288Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:34.102{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1146763FF976A78E0A133A2F7FC962ED,SHA256=81F799425C54BFB452FE6F1FD13E4B97122E4460C83A2A1FCC6C69235342F894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324375Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:35.630{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CEA8AA3D4EAF4476BB63F63FE799FC,SHA256=6821C1A25861AF25D4C15B99FFACA034D74D55D29538D434EB76E84011FA577B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000371300Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000371299Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0017ad37) 13241300x8000000000000000371298Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1dc-0x06dbf8a1) 13241300x8000000000000000371297Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e4-0x68a060a1) 13241300x8000000000000000371296Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0xca64c8a1) 13241300x8000000000000000371295Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000371294Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0017ad37) 13241300x8000000000000000371293Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1dc-0x06dbf8a1) 13241300x8000000000000000371292Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e4-0x68a060a1) 13241300x8000000000000000371291Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:35.930{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0xca64c8a1) 23542300x8000000000000000371290Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:35.102{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5F80FE20DD91B44DFC817A9DEB14C0,SHA256=C674D46C1619A306C9404549C73C2FDBF0C0A045C80DA62EC57815DDB1CF3902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324376Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:36.630{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C771DD3F41D08A1876347AA143D485,SHA256=BBC394FF3505323B3B750FE4B903D953E3DAF2A0B6CC00EB8041B31F43F9ACBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371301Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:36.102{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CAFDCD88C1F39BC15F915B0DE13DB6,SHA256=58893CDC6BCFE05C3C78168CEAB2FBD964911D20005063245D53D3D06142BA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324377Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:37.645{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBA92E4C67498413D0D447044B19C9A,SHA256=E99DF95F1236473AD9446A29EDF5CCE203EB95E7DC3C9727A15E8CA1E8A1EE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371302Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:37.102{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1120B4A951A6CA7D3DF2AD0583757304,SHA256=A3A887C6804D5F5B28AD7642C35285B300396231462070CB16A3C07F825A8857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324378Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:38.645{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B8E2ACADFF4BE63AE991E4F769F402,SHA256=C6E3EAAB5575F3634167F0E1AC168681D7B13C067C6DFA2E446EC0D2762254B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371304Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:36.287{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371303Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:38.134{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7BDF4D8EA8D8981845C4ECA2836E8B,SHA256=F5C8032B340B315D85726A466FB7AE15163D64286D6100B45283CAE6B0C94840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324380Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:39.689{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E8316EBDC4104D2CB2641A860064B3,SHA256=82044151860466DE3EF0860D56B015A669AC0C9057CA63355454C4E341DAD4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371305Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:39.149{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C22D5C8A3D575B163B9B2C498859E10,SHA256=6D1A113C2CF5CBBDFE8D538B00090B6BA9E7D31CED036A5C3EA6FF96383A8582,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324379Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:36.734{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50043-false10.0.1.12-8000- 23542300x8000000000000000324381Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:40.689{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32970688AF9F67D00B1E7D1D1D193679,SHA256=F1C09F0516F9073664575EC82414A75BC29496FACA480DFFCDDED875B391B51C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371307Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:40.994{27B459FE-5AC4-619F-0D00-000000000F02}8964808C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371306Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:40.166{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1120461C349B7A24BE5B0752F963FAE,SHA256=3417E086BCECD22EA3416269B2CF25593ACAC4B650A291765775C2D322091605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324382Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:41.689{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915EBF1471178634111354A16CA11E27,SHA256=192062F33B06468BA265F02CE0BFF3968A7184D52916D76B0D6988AE44DCF63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371308Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:41.182{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F29C4F7B5520FD19FBA7352FDC52CD,SHA256=6F2B7C6FC1026D16F160D22E0D9F3E847DD738D7D1E8CA1EA72F53FC6DAA32AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324383Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:42.705{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DA5AB17D1A3DB9DD4DB3B448E82492,SHA256=76B91FB1C0BCE0A97B5191D8458A156D9B5D313834AD4EEA1A545C338B0DA44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371309Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:42.182{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4027BE76E946CC7D04DFC97E8BEEFE64,SHA256=DF43729AEDB38D45DE57190FA58366169A805586B3DC29DADA13013EA97AE6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324397Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.767{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCB90A13B4E4BB00E53783929EBC5E1,SHA256=71CEB237B8FA97F7AF63FA8A050B0442C11F402E92D17FB1D2FCF663A1ADB0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371310Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:43.182{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA92DD18713E8D8E5A74D3C6C8CAD7A,SHA256=5F19664558BCD13165C4FCCED5919D0FB65A9C57C4C1BF769BD00C5ACFCFA5D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324396Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60AB-619F-4401-000000001002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324395Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324394Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324393Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324392Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324391Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324390Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324389Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324388Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324387Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324386Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-60AB-619F-4401-000000001002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324385Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.642{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60AB-619F-4401-000000001002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324384Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:43.643{99D2EDAA-60AB-619F-4401-000000001002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000324414Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.845{99D2EDAA-60AC-619F-4501-000000001002}32563264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324413Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.814{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A26D460E38D23FB2D9EEA166D54015,SHA256=635D6F16B52264AD571F4572CA8851AA8D58AC63E2ADC45FDD8C532450DC0E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371312Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:42.100{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371311Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:44.197{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCBBD06773A730CC53EF19D59B7F65E,SHA256=DC9EB98DF7BC896482D23472F8C5D99F7EFE618E12A4D1E1D756583543C3D236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324412Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.689{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D86480E7CCCC6D7DD9D5A341761A3F7D,SHA256=81508901E5F97E66CD3FB9C8BD1B53D91FBD33A24B7E115890158AD4AAB3D570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324411Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.673{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCAF9A97D86D599632686733ED95C30B,SHA256=9D6D37EAD3C79B652BEC07C22946F70988D08E99C35AEE1CE5C9ADDA4D40C1A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324410Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60AC-619F-4501-000000001002}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324409Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324408Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324407Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324406Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324405Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324404Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324403Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324402Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324401Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324400Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-60AC-619F-4501-000000001002}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324399Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60AC-619F-4501-000000001002}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324398Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:44.658{99D2EDAA-60AC-619F-4501-000000001002}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000324429Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60AD-619F-4601-000000001002}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324428Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324427Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324426Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324425Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324424Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324423Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324422Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324421Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324420Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324419Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-60AD-619F-4601-000000001002}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324418Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.892{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60AD-619F-4601-000000001002}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324417Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.893{99D2EDAA-60AD-619F-4601-000000001002}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324416Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:45.845{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F3E851D8533271FE88F9EB88E2CDFE,SHA256=F3CCE76D62769BF667853A7C7EF42F71158ECA6AFB52ED24E7A954BCE6ABE065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371313Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:45.213{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FA7D4F0857C9680A1C172F9E455AE1,SHA256=AF2DF3DBB08F7D3BD48E412E7A1CB4BD7CF6B508A25D2D84F38BFB269E639433,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324415Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:42.684{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50044-false10.0.1.12-8000- 23542300x8000000000000000324431Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:46.908{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D86480E7CCCC6D7DD9D5A341761A3F7D,SHA256=81508901E5F97E66CD3FB9C8BD1B53D91FBD33A24B7E115890158AD4AAB3D570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324430Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:46.861{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69632C55F974350F577757CB3689BBA7,SHA256=440850BE768CDACC628D6E6167281C51100717F9947ADB69CCCE3BB7875A50FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371314Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:46.260{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691980D2927C71CDFCA58B47F6D80FB3,SHA256=0F47AA479ADF8E5FC3773455706C88A67945A07673737A203B15D08545819CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324446Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D461917DF07E587E7DD953CE4A64858B,SHA256=942C531B25FF24A089BB1A0159B4B359198DC57004CE148C562313620C88E887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371315Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:47.260{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C8905CBBC977C1618BE6BD79CCF5B6,SHA256=5F77F09964FE64D5CE10509E3A277B8E5DB01586DFACBFF7685CB4C3A8C8D9E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324445Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.533{99D2EDAA-60AF-619F-4701-000000001002}33923384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324444Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60AF-619F-4701-000000001002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324443Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324442Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324441Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324440Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324439Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324438Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324437Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324436Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324435Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324434Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-60AF-619F-4701-000000001002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324433Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.345{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60AF-619F-4701-000000001002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324432Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.347{99D2EDAA-60AF-619F-4701-000000001002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324462Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E363F3F684FD44BED7F82A11F1270F30,SHA256=D2804977694A0D8131E2D22FB8514C42372778129640B9234149C0C5C3FCE6A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371316Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:48.276{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017CE9CA03990C509DFF1093BB796DB5,SHA256=883B6585E98960AB1BEA7EECE6BCB95E23DE6FF72F95057DB03FE569A2D7C41A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324461Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.798{99D2EDAA-60B0-619F-4801-000000001002}23562796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324460Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60B0-619F-4801-000000001002}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324459Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324458Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324457Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324456Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324455Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324454Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324453Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324452Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-60B0-619F-4801-000000001002}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324451Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324450Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324449Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.595{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60B0-619F-4801-000000001002}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324448Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.596{99D2EDAA-60B0-619F-4801-000000001002}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324447Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:48.361{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F34F09823F0F8DBBD5F20D0AF8C60D66,SHA256=467B1374767FDA5AA44C31831AB1C9CFE49E16B58E1AD7846E85DB48BA0AE8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324478Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.955{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FA0F3E8E324DD5DC4F2C26285BF044,SHA256=49A2C99EB4751271C1EE07D38256642C51C125B7083A3F158B18AFB2A3809035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371320Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:49.979{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371319Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:49.979{27B459FE-5AC4-619F-0D00-000000000F02}8964808C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000371318Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:47.225{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371317Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:49.276{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA45AD9A7C7ECDA6DA5ED2E8B029AE0D,SHA256=E79EF41658C6491650722E460A4FC0758C0579CBD0D9CAAA5799B47A64EAAC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324477Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.814{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A4E8700EB205FE054AF5BE1B1E55418,SHA256=27596E333F956A5EC476E62A52566A4A6C1A5795A37CB9098FA29052A6BE7A3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324476Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.564{99D2EDAA-60B1-619F-4901-000000001002}30602208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324475Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60B1-619F-4901-000000001002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324474Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324473Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324472Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324471Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324470Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324469Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324468Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324467Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324466Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324465Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-60B1-619F-4901-000000001002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324464Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.361{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60B1-619F-4901-000000001002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324463Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:49.362{99D2EDAA-60B1-619F-4901-000000001002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324493Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.955{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D9B5A978F58A425DECCC2A447C66EE,SHA256=732D03FD8D1CF9B0C78055F2F2345619901F229ABCAC0151164B214B3D8A2F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371321Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:50.291{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F83F68F75FF413DEE7FB9F8E87BA294,SHA256=2094BCF8C480BFEF67C9F39D2CEC4D85E858112339D850FD4150B0C937A9D4E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324492Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60B2-619F-4A01-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324491Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324490Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324489Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324488Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324487Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324486Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324485Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324484Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324483Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324482Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-60B2-619F-4A01-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324481Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.548{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60B2-619F-4A01-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324480Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:50.549{99D2EDAA-60B2-619F-4A01-000000001002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000324479Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:47.778{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50045-false10.0.1.12-8000- 23542300x8000000000000000324496Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:51.986{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C778DD388BDEE511AAE3BEC0056F06B,SHA256=246398F37CCFE65916CDFA753ADE23C5BDBE40F686C04AA1B305190C0FBF0D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371322Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:51.323{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7EC3C522DCC355767FC4FA11998573,SHA256=3479079BF82B64F5629CA175E38D7AC023005638DD614DAE48D604F3339B3209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324495Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:51.580{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA87913D0FE9C297E918263CED9CE308,SHA256=612EF22AB0AD972DF9EE2D809DF60D1DD963A77354801EE21757F6347097D2E1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000324494Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:08:51.486{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e4-0x7229f6b1) 23542300x8000000000000000324497Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:52.986{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C876016482412EE7B17E0BFDAA0CEC4D,SHA256=DAA7597505284259FDCE35552A6D07828A73F9B1EDCB8E6D282C550F192D447E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371324Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:52.731{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC4-619F-0C00-000000000F02}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371323Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:52.323{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD6D02D833AD94510F62AB350C99083,SHA256=B31503682A3AA5244621247792923DB79BFDF80F8E22CB8C691EAEA00E60B732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371328Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:53.586{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=181BB857980A072911AAC7EF98ECB876,SHA256=79BAE826A1AAA92AF50BFA0A68BABF1E30D46539CFFA0921A5651587F0A9B7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371327Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:53.586{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=261D5DB998F3EBA394092A72382F8F88,SHA256=698F3AA0EF22EAF5B25514DB491021F325597A355CD18783280560C95287F495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371326Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:53.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769EAE7ACF229B43F49A36DFD0058BBB,SHA256=CC7D61D35316BF63AE2F486AAFD60DE50FCD7DE147071B657F3592395F931AF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000371325Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:08:53.273{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e4-0x733abb3b) 354300x8000000000000000371333Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:52.017{27B459FE-5AD7-619F-4300-000000000F02}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58950-false169.254.169.254-80http 354300x8000000000000000371332Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:51.905{27B459FE-5AD7-619F-4300-000000000F02}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58949-false169.254.169.254-80http 354300x8000000000000000371331Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:51.870{27B459FE-5AD7-619F-4300-000000000F02}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58948-false169.254.169.254-80http 354300x8000000000000000371330Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:51.869{27B459FE-5AD7-619F-4300-000000000F02}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58947-false169.254.169.254-80http 23542300x8000000000000000371329Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:54.352{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98DE340D1CA7B1D839328E48D2EB4F7,SHA256=1A8A9D0B667BC60DD1AEE8C66998E3AD9E8457D81C0103DD2304E9FAFD5DA915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324498Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:54.033{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB9863C62963E3E98E6A59F708AD273,SHA256=908CFE23A81C58AFDAD14F5E0240555A623963565C16BD1CA396FC3B91CE7B43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371335Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:53.160{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371334Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:55.367{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C8F152478C63ADD8D7FD370A417FEA,SHA256=C94F51ED5C66AD2F746990AC07993A4619702B670E804AF895DDC79EEBEDD75A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324500Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:53.731{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50046-false10.0.1.12-8000- 23542300x8000000000000000324499Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:55.080{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74E1E5963354FB6A3D819C07F43828E,SHA256=AE9928C92F7245740A36309BDA2705BE356B59D40B927E44953E8EEC04187BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371336Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:56.383{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B047107AD39231F337AE561F48BEAC0,SHA256=19454AEB070BB7BFA0F0090B44422A6F3C5622FC56CF4F32D2C13E042DC2C1F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324501Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:56.080{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA8F008ACDC958FF1EF2D60D0EA3673,SHA256=81ED18A40A69D583A7A566B19D8DF69ADF5CB42904800C3B996853C32599E29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371337Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:57.383{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2F94D6413F18360016C7CE02034BDC,SHA256=D2BDCA11149F126EDC881A4470A32DEABC4A6EFC5FC495A2DC4B3A3C9C9B2E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324502Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:57.111{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF55FAEF374A085BED9AC709BDF2C7FE,SHA256=25FA331D1DFD7A9EF322054A4A03DBF6AA004D81B66BA91C75FE11FF1A5BE806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324503Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:58.158{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D6ABC69A73274314A9E76DD25C395A,SHA256=751AD46F8BB8E0369204685AE02E98C30BB92CA15A100527731034DFAC837717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371338Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:58.399{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6884EF855C85D7BD004021141013352,SHA256=D7376361ED386C8D0907A5A8597D86A0131EBB1C494F14BE6CA0BCEFECE95E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371339Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:59.399{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1774ED265F4FACC589BB91D027702964,SHA256=65B47E67960848783D26E2186A26E3F5AC0C812128F85E7503B53799481A067A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324504Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:59.174{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDB0F855C17E5ED4664D5727FA2DE87,SHA256=9DFB0A1566396F46686A8F683ACAE930CBC01F7EA20770BCE256228CDECC65ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371340Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:00.409{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F09427CF8DE33610DB341C61F0267E7,SHA256=80AA6D0F3FA8A96C2827883D97C175AE921C00721627E33CFA06B0DE0E4344D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324505Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:00.199{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ACCF9A70C99A0848C7757EA2BAFC8A,SHA256=60E118DD275976079B485A7424D12EA772B493ACA7E48274A4B9B838330F9946,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371342Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:08:59.132{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371341Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:01.424{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28D9C56D235088E0DE01A5604E251F7,SHA256=ECD6C2F678BF99220F653AC3EA3C0C94772EF89CD5F01D058E406D6A0AD6116C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324508Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:08:59.724{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50047-false10.0.1.12-8000- 10341000x8000000000000000324507Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:01.276{99D2EDAA-5AC0-619F-0D00-000000001002}776224C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1000-000000001002}928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324506Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:01.229{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF2C00D17086112EDC7BDF480EF1617,SHA256=2AD33F1F9847DD8BE9CDCB423BB07CAA37E24FB3377645786E7312D2992F32E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371343Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:02.659{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E832F5DE578832AE139F40CAEDECE87,SHA256=49664D27EEC07E49FE643F4EA807D741DB437908DB9BDDF06813FD27CCC13A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324509Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:02.245{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668A18182D3C72A79A606C34E0200416,SHA256=8C14624F0DD62B1149E3CE9603DCA07249C69E94011651D88C796C6FCFC94D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371344Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:03.659{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7406D4C58D50BC649A4716B7280EEC,SHA256=12A1BAB30B4F3DBF81C9732D1C2F0B5D294757B41647EF479C9DF8E2FC97A672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324510Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:03.292{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABC32288D2B5A2AAFD81150192D2857,SHA256=E685131C96D100CDBD15CFA412A76CA439B2A6394BA94A2343FEE79DB0C1EA6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371357Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:02.671{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58953-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000371356Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:02.671{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58953-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000371355Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.690{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA5B66C6913F143F3E0A9C9D34FE0E4,SHA256=D110BDE48AD638BF410E8E0DD89DD6AAA93B83717541C559C09CC1E90D9637C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324511Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:04.292{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0B02C3A69C1B296E713326F8BECA51,SHA256=5DCFA64270C503A92764A3730959D4F7603CA5EFE604CC00146399781781576C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371354Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.643{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2089316FD572630031BD95F6C4D7D2CD,SHA256=9A016DC55CD55BB1732BEF36ADB17C3E1B136C317B40BF53DBA3D692B2A56D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371353Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.643{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A41A1037114ECBB2CFD815F2FFF0E151,SHA256=FC4444EF8458B71EEB8E4045DC26B8A7202F0AB8974D99BB777563F7C5228A42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371352Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.424{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60C0-619F-8901-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371351Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.424{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371350Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.424{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371349Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.424{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371348Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.424{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371347Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.424{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-60C0-619F-8901-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371346Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.424{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60C0-619F-8901-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371345Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.425{27B459FE-60C0-619F-8901-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371367Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.721{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEB551E541D56FB7483B1E3302D3DFF,SHA256=2F9A053A8219695BD1A561EE691C8DBF6DF30EE2A47B3C5300E3EA40A9C2C979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324512Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:05.292{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8694C95B69CF36D5E4ABE0A6829CAA,SHA256=950F84A86BAC8C5432C02DB65759528952C744F4DFD209D43932F956A4414C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371366Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.644{27B459FE-60C1-619F-8A01-000000000F02}17481264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371365Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.315{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60C1-619F-8A01-000000000F02}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371364Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.315{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371363Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.315{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371362Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.315{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371361Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.315{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371360Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.315{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-60C1-619F-8A01-000000000F02}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371359Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.315{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60C1-619F-8A01-000000000F02}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371358Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:05.317{27B459FE-60C1-619F-8A01-000000000F02}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000371378Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:04.201{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371377Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.787{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C64CA530D61727EDCFE0344F580FCAC,SHA256=DBF80D12552BCF00E8063F9B05879BC6C2FCBEF405F61F01732FA84BED947268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324514Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:04.802{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50048-false10.0.1.12-8000- 23542300x8000000000000000324513Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:06.432{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0CDF9E365C53B2589131D22CE9FB90,SHA256=12A7F075514152F1212AB2C2E3E782337EE4104577E4BFE5915F47F59A3DE08E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371376Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60C2-619F-8B01-000000000F02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371375Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371374Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371373Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371372Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371371Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-60C2-619F-8B01-000000000F02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371370Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60C2-619F-8B01-000000000F02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371369Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.425{27B459FE-60C2-619F-8B01-000000000F02}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371368Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.315{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2089316FD572630031BD95F6C4D7D2CD,SHA256=9A016DC55CD55BB1732BEF36ADB17C3E1B136C317B40BF53DBA3D692B2A56D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371383Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:07.846{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51815303577562DB63864347F1FD63AA,SHA256=428BAAD306EB650AD9CCED18CE6A9FD8FDBD667ECA5C31F57B7002CC6DF2E7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324515Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:07.479{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A052D962C5F207DAE6AB68BB8AD1BF,SHA256=CE8C07432B2A4EB21BA09DDDA4C3321C46C6E406C7A8B74397F8BC64D0D47EA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000371382Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:09:07.441{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\583610C9-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_583610C9-0000-0000-0000-100000000000.XML 13241300x8000000000000000371381Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:09:07.441{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Config SourceDWORD (0x00000001) 13241300x8000000000000000371380Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:09:07.441{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A6F3BE35-2816-4299-8BAC-44B9E4617F8F.XML 23542300x8000000000000000371379Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:07.425{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7134E3D940D543FFE2CF0F2C2ABE325,SHA256=C59BB54ABEA12E942505609D477A36F7273D0D6DDB3CEA1B6285A157455162A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371395Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.846{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9844A46FB3AF422239840F0923B484,SHA256=16A9FE7022492D7A53F7B40AFB9685C200328C8EB9D695C7EF446EB0A7C79E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324517Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:08.479{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68CA0770D39E4BFF7C3D935B56F51B3,SHA256=E52FDF885B747B2284A854B7B8AF935030819F13A743CD61B31C795E9D0A4B84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371394Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.784{27B459FE-60C4-619F-8C01-000000000F02}59085752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371393Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.518{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60C4-619F-8C01-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371392Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.518{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371391Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.518{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371390Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.518{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371389Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.518{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371388Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.518{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-60C4-619F-8C01-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371387Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.518{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60C4-619F-8C01-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371386Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.520{27B459FE-60C4-619F-8C01-000000000F02}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000371385Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.453{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58955-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 23542300x8000000000000000371384Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:08.456{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9877FA4D961B60252A865218AEEF2AE9,SHA256=AD0556C2834F1F9724D246928DD559D921999593CFA14131CAD282B361D88A0E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000324516Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:08.276{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e4-0x7c2bf1fa) 10341000x8000000000000000371420Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.987{27B459FE-60C5-619F-8E01-000000000F02}46965640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371419Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.878{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BBDECDCF362F621AA154A66B11267F,SHA256=97B831A4CBFCC5AD11453D2E5DB3A6614A7F8F55709949EC6AB29E442F2E3AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324519Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:09.493{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C76A9A4C7B468AB674915CF8A4C898E,SHA256=81CD005E8D954210A8C9703C61D99BD1C6D25ECC5C15FCE35D9073900C36CF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371418Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD84845B8A6A5CD6F65169BFD4C1ED9C,SHA256=80CAE99229AB62E1F0A85F882B435FB2B7B4912503FB59D1E7D4E281B89EAB54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371417Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60C5-619F-8E01-000000000F02}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371416Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371415Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371414Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371413Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371412Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-60C5-619F-8E01-000000000F02}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371411Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.753{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60C5-619F-8E01-000000000F02}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371410Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.754{27B459FE-60C5-619F-8E01-000000000F02}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000371409Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.221{27B459FE-60C5-619F-8D01-000000000F02}20323392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371408Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.018{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60C5-619F-8D01-000000000F02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371407Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371406Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371405Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371404Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.018{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371403Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.018{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-60C5-619F-8D01-000000000F02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371402Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.018{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60C5-619F-8D01-000000000F02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371401Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:09.019{27B459FE-60C5-619F-8D01-000000000F02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000371400Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.487{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58957-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000371399Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.487{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58957-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000371398Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.478{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58956-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000371397Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.478{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58956-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000371396Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:06.453{27B459FE-5AC4-619F-0D00-000000000F02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58955-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 23542300x8000000000000000324518Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:09.216{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-024MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371422Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:10.940{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A6A4AB10F6707CE9747894B4E795DE,SHA256=BC33E54C89662CA414141D4CC95F6A72883FD49D4A54544DF87DA1E151AF187D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324521Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:10.507{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BD7AA41E2978498E09E633BF942D04,SHA256=5FACED352FE6B4F58CB4FA922D004801E99E11366310FC77A1E1D771F96B1E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371421Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:10.768{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0A472D5337C39D96749184E43902F58,SHA256=3958183CB71C01DCD517051D51C56C028B07411AC48F27CF4B6D24B94A4233D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324520Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:10.229{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371423Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:11.940{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4621088555B354A6055394DE33F5C11,SHA256=76861DB211D85ED677F3B6FC8DC86D2DFF4202A8B3487474B71942E5C1CCF23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324522Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:11.509{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4997071C39AAAAD14B3696F80752F0B4,SHA256=6E39ADCAE67DB37A7C6FFA5C0186DD3B4265BEC25E3CA729EB84BC768D51D179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371432Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.940{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1234B7F9194A9BB25B49AE76696BDD05,SHA256=68CDE4C1B501888CD36D192F661F5AF6400DB2C748030217E945F47B789DDB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324523Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:12.525{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73EB8C86F22CA49B45575FF069502E7,SHA256=C405199DF130330CE5C0E0D371EA337A990C827518FCB09EA67FEC189FFE39BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371431Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.112{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60C8-619F-8F01-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371430Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.112{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371429Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.112{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371428Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.112{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371427Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.112{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371426Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.112{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-60C8-619F-8F01-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371425Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.112{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60C8-619F-8F01-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371424Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:12.113{27B459FE-60C8-619F-8F01-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371435Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:13.940{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B543DA8D3E5AC49C5CD27EF1ACFA53C,SHA256=97E6281F1286CBAF22D4E90C24637474017C5FECFFB2DBCC3A7EEE1255FCA2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324525Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:13.525{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DC3B63FCC246CFD5E4A94C39338CE6,SHA256=A29C661BF8F1D28D12E01008C4D8314D66620E2AA281B218CCB8F24B5968364F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371434Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:13.112{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D097F8FACDA9682F7A1B0912E2EF0D,SHA256=F2DB169060934304DA296DBB4AE01DCED7DB93BBD2E9219150E465FFB11B3EA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371433Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:10.186{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000324524Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:10.801{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50049-false10.0.1.12-8000- 23542300x8000000000000000371437Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.956{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E9862100C6F9930A98A4C5AFAC8139,SHA256=5FDCE1AC6171828CFA221A9F5A5E54A908D503A3C57E438A8B416EC40B7E3B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324526Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:14.540{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA19D0D3C237B60D8762BCD0CA7DE70,SHA256=95E41BD6922BD3C5FB5F350199493E45FABEAE1AAA79DE916797ED11BC56F463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371436Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.800{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371439Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:15.972{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F10C4B807CE07EDA3BED7C1030F3922,SHA256=1FCF8F48A4F2BF061C6A670DC6EDF0BDF63F7140E5909790736BEE7D32F58855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324527Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:15.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E263C7251EBCAD5CF90DAC5A46BBBD50,SHA256=97E349EC90C4CB1D9E4D3D5614503602C52CF10FC2B43B9336C29A4F6BEDFF82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371438Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:15.440{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5AA4-619F-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000324528Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:16.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37691FADB27C2391367073EF75855E10,SHA256=952BF66BDB1B51073AE633180CFB8CA477654AC116A32AA6A8302B4B53034C6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371447Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.472{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58962-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000371446Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.472{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58962-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000371445Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.371{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-266.attackrange.local58961-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000371444Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.371{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58961-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000371443Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.362{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58960-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000371442Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:14.361{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local58960-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 23542300x8000000000000000371441Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:16.331{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84FA33CF2FB6A874321A8C38C93652B,SHA256=4B970CB8F4109FA532D0D87A8923F46034B67AEA6E6140D5F0B479A38D05E60F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371440Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:13.811{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000324529Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:17.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBAEDF0CCBDAA332579FE10195DA150,SHA256=D08F6F1D5328CEA611FEB21D54D0ACD98297E1DCD9558FE5AAFB84DA6C5C5F95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371485Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371484Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371483Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371482Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371481Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371480Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371479Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371478Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371477Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371476Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371475Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371474Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371473Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371472Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371471Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371470Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371469Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371468Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371467Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371466Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371465Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371464Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371463Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371462Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371461Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371460Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371459Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371458Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371457Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371456Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371455Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371454Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371453Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371452Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371451Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371450Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371449Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.190{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371448Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:17.034{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604F2D24D58D315956DE05A8D96841CF,SHA256=3ADE89ABD0E087A14E8235E01A5FE8267A99F282B268605D505FDD71D10EF764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324530Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:18.618{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2879E06A6F824D6A1E76585D527B89,SHA256=C1D34A54ED8B594D8FB1ED11407C5CA2E1F9F3FA36ADAF8E5BC6458C9461FAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371486Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:18.128{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02E63C6377A73E24CF343446E96252A,SHA256=48686AAD52B63F6D762C2E61B112974F508867AC2C1A6DE5ADEC0ECD7BAD5F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324532Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:19.643{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35296991BAA345F9F31A0B4EF95D1FA6,SHA256=E17C32DA4D1023873E3C93692D8BC32B9B6F0DDA28A8C85898C73AD86B7B732E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371488Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:19.222{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548E5BC5645A049B46BE1195A6E57278,SHA256=2F47D2CCAD880C461B26931392BD3826A45AC250BB3838B15A34DF54008FFF7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324531Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:16.723{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50050-false10.0.1.12-8000- 354300x8000000000000000371487Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:16.202{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000324533Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:20.643{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C15781A737456A2522917B7D3DA741,SHA256=E93523094A92626AF477FBD866D088338AA76943ADC59C15D42EBE42ADC1B971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371489Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:20.277{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52D8EAE65C5F491052CDB47E5B2DFDB,SHA256=1A7D007986AF37C0A4CCFECAFCBDB24B8BF84435983F3A6A3C2E7CBE6392F52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324534Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:21.674{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24317FF92A10EBBAA486B71EF5B7E0B,SHA256=F6E05CFE0870AB1C5532A00B81759FAE65D228D43E289D75DC553832F2574A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371490Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:21.464{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BF3A9A08A0242873B1853AD79AF524,SHA256=9B939FF8C1ABA765A07BC9BFB2A30FD7B2689BF55438A8E165A65CD66E161524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324535Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:22.690{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FB0BDD00FE7E56E3889DE71915981,SHA256=72A1B6209DF5A0A64A690E1E0239FF849C351E2E80A28CDD4BAF23942E784E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371491Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:22.464{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E725185FD4866BE2203CC94765A872FD,SHA256=E37023FDCA9731CFB806076B0E23888425D7D21847A763BDD16787D37ABBA915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324536Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:23.690{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DA9413530FCB1C28C3F819FAB00B66,SHA256=8C090D451CF20BA333200295B5393B4C787D3D421F1C5BFA47C0EC86E7608AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371492Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:23.464{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647B4F15F794C5472FE6E1366DD34053,SHA256=8D8C103458045FEF477255594BB0F1EC63CF2B7953749F4E17E8BDDF53929FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324538Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:24.706{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D304A3FFE2878500BF53324D7193E1CC,SHA256=34DF745D802F40BAF2A7C3D5A2532E1F7F18655ED0F97D6267AC832D1376E6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371493Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:24.464{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991DC7D4F388D63EB04B73D5483BF059,SHA256=C83E312E21D5100683F68F3841BBEA2150A43CF945EEB2DEC96C620E6A84CCF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324537Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:21.841{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50051-false10.0.1.12-8000- 23542300x8000000000000000324539Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:25.706{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030E25254C72B7B202076A449C466785,SHA256=7C7AB2ED21B3F924ED10B79D290AC9621BD72519266F3706F46527B0E91AC010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371495Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:25.464{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16AC31C9B7EAD7C9EA60695C169D0E6,SHA256=211DDE666725C8B38E37CCDABC378657F48E7AEF09F27B77F48577C5FA2A3923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371494Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:22.116{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000324540Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:26.721{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5ACC3D6B3C31637AC8DED4313F5974A,SHA256=F807A5FA72FB1F52CE3F7499E0D189AD04C1ACA6B78BC0A1417D0C3538813B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371496Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:26.464{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7246A39150057EAE979F96C2CCCDE06,SHA256=DA2D977E3093332FF0BEDDED11C0CAED9C27671B3137F3DB4349FD9084E4ACAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324541Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:27.722{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DBF4AADF13A01210460EDB82C3711C,SHA256=245FBA25D6FE4927E0CA82CAA0C650E1D136885ADE9A2C688916BB9543405001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371499Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:27.480{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D827DF690C1370D264ED6902AEC823,SHA256=AA563BE1F6E75DF700C9E2077F1F9FE41B877B7B73BABEE6AF29565D8BADF8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371498Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:27.152{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB6BFE9BF46B134457DF1A7C489066D,SHA256=C4B917AA42852B43A3CFA8678B4CB00DFFF36038649DAB1D78D94A0584B930B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371497Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:27.152{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BCB36258EB4CBB1CF765EC941310167,SHA256=ADD8B18A4550C8BCB109DFF991BD87D7AEBBE2C343032999B00CBBE190514662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324542Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:28.737{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBBA32B478731A42FE12E43D1F232AD,SHA256=C33DDF6863546EB36D78E76A5C56F922FD516706326422F0BA33BC18A705BF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371500Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:28.480{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41805D5D474213EEE85ACBBA15C46AD4,SHA256=3D4FEDEEBC780000AC2B1FBB16416C06838F8AFCB0325EEF4EE46099585E6245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371502Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:29.495{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAF726105732C7035865722D6935361,SHA256=8E40FF8440AC2AB155DA2AD11913EB8F66427CF504DC3BD9130C13E905FE71BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324544Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:29.753{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67A969ACD8FAA478FC80729CF4BC17D,SHA256=C25820E942794677F3402EF741A2235C1815A9CAB5FCE4F627A9BB8B62EB556E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324543Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:29.394{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F06DACE6A591E8D9E4B26E7C18886436,SHA256=67D06A27003B739F81BF39D485DFC2CD85C21F2C405650851469681045EC422B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371501Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:29.327{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-024MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324547Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:30.784{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F614DB5B77B188A83E8352A961C4411F,SHA256=392137B5627BAB6F24AB640AFE9611CE56524B20ED51837555AB9B7724EEED44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371505Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:30.496{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F6DC4F48E0FF25FA9C8C3204F4E1D9,SHA256=B77587DE32189345CF0C22C43672D16521848285EC5204D405B003F0259D88EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371504Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:30.340{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371503Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:28.069{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000324546Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:27.638{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50052-false10.0.1.12-8000- 23542300x8000000000000000324545Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:30.331{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324548Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:31.784{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97855D249422DBC50A7D937EC2522457,SHA256=69BC49EACA73A7007A676B18E5A8E9A73DCC956690671B512AFB68CDA24CD139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371506Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:31.515{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C1572EE5D4BF64D3973C4743C8F628,SHA256=2B97F149D906AAF2D07F5A92AC8E671B9F9E58965752E696C3F1834E1B8DCABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371507Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:32.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1FDF2BDF8B8CD5CD71DFC1D6D5A849,SHA256=D2542C8BF7A52EE70A4982100C6200DC3F7A5E97933C9D570B6964CEB55A32E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324550Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:32.784{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A62246BAA2ECE584E5C9B5B5A0A9962,SHA256=13B3541E3A9C011A500C19740131EEDFE95DBF1B6A8554C54F45A2409FDF5E2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324549Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:29.904{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50053-false10.0.1.12-8089- 23542300x8000000000000000371508Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:33.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A284ED679C54BECE50051489616639D,SHA256=CE37376979FF71DC49B2EC59F409607069FC78E18C81B9F259C728548791993E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324551Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:33.784{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891F0A36F679D2513DE292E2EE53167B,SHA256=E5B5EE26219A106D9A9E4842DE8E48321607D1B2571BD98463D4AA303E40B1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324553Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:34.831{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5347689D11F7DF1C9505E8A24C12FA,SHA256=DC9AAC1A752F61BABDA2FEC7DB03773E7A2285D993D679B9BA4EF88DF7FAC63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371510Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:34.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C38584F05A56C9768E4478AB898813,SHA256=498F1C64389957D6E2E5C6E95558983D749B84347FA16C118D0EF21F793672EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371509Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:34.469{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=34FBFEC3381E652AEBDDBC7DE0E1A302,SHA256=8715356182E13726DFBBFE8D270F92B92C2F50AC278DD6815B703EC0D7848A3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324552Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:32.638{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50054-false10.0.1.12-8000- 23542300x8000000000000000324554Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:35.846{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2A8F202B77B9C9398D880276905968,SHA256=843A1F6C324044167BAF1EF40238A91FDA7E759E3CB9E970F09B2809A5AB83E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371511Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:35.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D152BA0EC490DAB904ADB83BFD66AECE,SHA256=D1F43F6CCA0989866E30EE7AB604F8D2B40A88F42B23955ECDD1E5EAD1F370E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324555Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:36.862{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6C9BF4D0F53EFAE07BEBB6E78DD9AD,SHA256=B960B52D55B5B8654462C1E7A632F88118C9F3F4DD09CDCDD577578020F589C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371513Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:34.073{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371512Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:36.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A567A3B484183426B3D54706AB7B8D,SHA256=8652310082EF0D6BB8D481E2428BF20383D758C6585DA0A082A47846E484E632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371514Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:37.578{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C898079864C481F6CA3C63A7D3B8810F,SHA256=52100E29E9ED6793B5E3357EA425BEA4F3502CC73827F0243D8B69D4BD564084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324556Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:37.893{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177AAFF97EB4B99F1D3AC25F16542416,SHA256=8D167F953CCFACB363BCE5E0656C69CE368878428A0CECD3152E3EE7A4021B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324557Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:38.956{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899A2FBC02EA525CE0B5C502E9353631,SHA256=00CAF0208E8EE3D060CB9088B25415202BC2EFFBF0EDB306225B3CB44EDD540B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371515Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:38.609{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44173A058A9F0D13692E6343C27D1C92,SHA256=6FD467875993690575716C80A0FB1A61CE0674464896BDE3D479832B45F0DED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324559Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:39.964{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336F650894D14236035024D86BF21316,SHA256=E69DF32E0E3E2C29E8DCBD92384021C730729D2F88DD7D3C80A35795FB647DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371516Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:39.641{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA0DF0E69FCD41F49446543F2C1B8F6,SHA256=DB03E4E32860A8CCFFEE661819EE314A9784BA1F95DA4AA1928688DB52D8E630,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324558Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:37.842{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50055-false10.0.1.12-8000- 23542300x8000000000000000324570Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:40.964{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869E88B8E061905795248C8361E2C0F2,SHA256=C8A1C11B13DE806441D272D4020A276E9047B2164ED5A1C618751A9740F70D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371517Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:40.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCE97BD9E77E480984BE3C01F0D3104,SHA256=68C535A2243A0E3C7268E654E60331EC9BD094322CEDEC806BA3EDE151B7C361,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000324569Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000324568Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018b0ec) 13241300x8000000000000000324567Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1dc-0x2d854e41) 13241300x8000000000000000324566Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e4-0x8f49b641) 13241300x8000000000000000324565Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0xf10e1e41) 13241300x8000000000000000324564Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000324563Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018b0ec) 13241300x8000000000000000324562Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1dc-0x2d854e41) 13241300x8000000000000000324561Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e4-0x8f49b641) 13241300x8000000000000000324560Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:09:40.854{99D2EDAA-5ABF-619F-0B00-000000001002}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ec-0xf10e1e41) 354300x8000000000000000371519Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:39.234{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371518Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:41.676{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9819722EB704BE0C70688B2ACA512D4F,SHA256=DF816E6C6785E8D7E462F8625B97D87AA045A6E3ED3579F39131030C221BA214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371520Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:42.676{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19493DD8E2714A398C7B5AEB736FAF0A,SHA256=E02E61807784FCD888CB881B1CC1095E7F7AC9B1A3F55C6991285473652BDA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324571Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:42.011{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349319513A4921810803BEEEA0D82273,SHA256=F8F76C57FC308431D7EA396E1A4917FC9757DBCAF374E5D6AC5424F330CA45D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371521Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:43.676{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3BD5C3D019D8A9B28C36887A562CC1,SHA256=42157BF6899BE0A4AF484862C944417046C1E6041F1E7C2C15A43D3EA450D7EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324585Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60E7-619F-4B01-000000001002}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324584Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324583Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324582Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324581Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324580Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324579Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324578Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324577Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324576Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324575Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-60E7-619F-4B01-000000001002}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324574Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.526{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60E7-619F-4B01-000000001002}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324573Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.530{99D2EDAA-60E7-619F-4B01-000000001002}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324572Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.011{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365CD5ACE489E6D851C8043D08EE0979,SHA256=1749B9703B008DB56E9C2FA2C4E6E4BCB0AECD9F62AB42DA25A6C234A1A36D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371522Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:44.676{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639E8667F40880065478FCCDD30C1597,SHA256=727DF107B124DE8E27616F764DC6BE264A5E9182CDA07D3F4F85CFCF72EB1227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324602Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.839{99D2EDAA-60E8-619F-4C01-000000001002}30363172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324601Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.714{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF557B04F7F7020455D906DBB174153,SHA256=7597A8D06455E6ACC24215DD46239B5DBB6F885E61CA3E889B2BF5A81A40FD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324600Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.714{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33ECB77D33118D8817BBEF62B4B3E0A5,SHA256=41FB04BB39F64AA4F780216D64B57EA449C69363A8DC4CE4C93E14DB91048CAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324599Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60E8-619F-4C01-000000001002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324598Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324597Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324596Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324595Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324594Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324593Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324592Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324591Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324590Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324589Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-60E8-619F-4C01-000000001002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324588Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.667{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60E8-619F-4C01-000000001002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324587Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.668{99D2EDAA-60E8-619F-4C01-000000001002}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324586Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.026{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1096903896F29605171632CB9A8B12AA,SHA256=41428A466350DAB8E167501EDCF86D899B9648076D8603211F0D8D9D88C9E1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371523Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:45.692{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0104C2C26E192CFE8D201945134A5E99,SHA256=6C5BF54375C2AE9C6BFF40052E82400DB769D2747EE611FD80B6640395E6DB17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324617Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60E9-619F-4D01-000000001002}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324616Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324615Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324614Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324613Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324612Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324611Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324610Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324609Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324608Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324607Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-60E9-619F-4D01-000000001002}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324606Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.901{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60E9-619F-4D01-000000001002}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324605Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.902{99D2EDAA-60E9-619F-4D01-000000001002}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000324604Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:43.616{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50056-false10.0.1.12-8000- 23542300x8000000000000000324603Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:45.073{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBD93EA5FBCEE2DA6623B9BA102A2FE,SHA256=5D887E78165E54005A4021984D3BE7DB12C441920A68DCAADAFB307ED9D4826E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371524Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:46.692{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E4959393DDAD8770FE707832511E85,SHA256=C6D4C1244E76890382B59973D5935F1F8F65FA2DA1F444369234C9FDF7FED9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324620Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:46.917{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF557B04F7F7020455D906DBB174153,SHA256=7597A8D06455E6ACC24215DD46239B5DBB6F885E61CA3E889B2BF5A81A40FD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324619Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:44.073{99D2EDAA-5AC0-619F-0F00-000000001002}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-52969-false10.0.1.15win-host-61.attackrange.local3389ms-wbt-server 23542300x8000000000000000324618Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:46.104{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD1DAF36BBEDC3B938738A4810A95E4,SHA256=8C8E45065C0282DFFF20C137FC9DADAFB95C23DDEEC4C5818562E0433144BBB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371526Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:45.187{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371525Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:47.692{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C9A12418AA9B016BC40AC4DD32F6AA,SHA256=6F599BAFE1311C1A8A8F40F6A3C0DA33561E2F0C45D9ED56AEBB7475711FD96D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324635Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.386{99D2EDAA-60EB-619F-4E01-000000001002}26243148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324634Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60EB-619F-4E01-000000001002}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324633Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324632Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324631Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324630Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324629Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324628Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324627Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324626Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324625Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324624Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-60EB-619F-4E01-000000001002}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324623Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.229{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60EB-619F-4E01-000000001002}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324622Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.231{99D2EDAA-60EB-619F-4E01-000000001002}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324621Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:47.151{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0932CEAE79068A9E91955A2C0EA330F2,SHA256=D2D6340C0AB47638CF92CF8F9CA17E44B32658E7E50D6160CF56D53ECDD7E84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371527Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:48.707{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F252D45018BFAC96BACFDA98FC73B777,SHA256=F6418D6A7799D3830F64027C8D70F36E763AD981A037858E28328D2FDAD78B6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324651Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.823{99D2EDAA-60EC-619F-4F01-000000001002}28163488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324650Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60EC-619F-4F01-000000001002}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324649Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324648Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324647Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324646Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324645Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324644Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324643Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324642Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324641Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324640Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-60EC-619F-4F01-000000001002}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324639Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.620{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60EC-619F-4F01-000000001002}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324638Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.621{99D2EDAA-60EC-619F-4F01-000000001002}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324637Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.229{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DB2A08708E5B32A6E1540F337E1941C,SHA256=1A73204DD4984010185789313631C2B429C5AC3B6CB0164C1F34C708F9BF2DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324636Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.182{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C8322CB6EA501ED3844664ACB81ADE,SHA256=F3293E7D386BC4731922DB010AC19EB96738DB0855475FE08607357442964FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371528Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:49.723{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B404385992F435D58CECFA8DDDF98F7C,SHA256=A821C4C9487D84BEF50581E0E720792CBF94A82BD3F187B155A5A0492BF001F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324667Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.620{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF0557A83BCE3DE2FF9488FEABE9527F,SHA256=851D70947C590EF9E8CEF2633B1C8053564B9E28EEF1DDA1D097C8D4B0DEF94E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324666Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.557{99D2EDAA-60ED-619F-5001-000000001002}19642616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324665Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60ED-619F-5001-000000001002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324664Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324663Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324662Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324661Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324660Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324659Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324658Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324657Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324656Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324655Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-60ED-619F-5001-000000001002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324654Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.370{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60ED-619F-5001-000000001002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324653Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.371{99D2EDAA-60ED-619F-5001-000000001002}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324652Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:49.214{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D53FFF49C2875A4EF8A175CE6DF9511,SHA256=213E774773BA7143408CA7C402BB71A2B3A4A36EC8863BFB6DDC9F76B115A1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371529Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:50.754{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81C1D113AFFD21475773DDBBFF29571,SHA256=D8601CB627423F2EC7FF81F8DCA5117FD99F546639B37273DBE48D2CFE6EAE08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324682Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:48.678{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50057-false10.0.1.12-8000- 10341000x8000000000000000324681Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-60EE-619F-5101-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324680Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324679Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324678Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324677Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324676Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324675Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324674Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324673Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324672Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324671Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-60EE-619F-5101-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324670Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.557{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-60EE-619F-5101-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324669Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.558{99D2EDAA-60EE-619F-5101-000000001002}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324668Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:50.214{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EF4CD9C39C7DE67322D68C4D216D6A,SHA256=76B76058DE56463D0CEFD4176611809A0C831E5EE5BD5434B279D77E1E2CC1D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371530Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:51.754{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C8C1AFD208BCBF2E792CF52629C3A6,SHA256=A1845115E00B30723EA54D4E349893C02D4EB43CDF15580548074F7B0493189D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324684Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:51.589{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20A146860AC0FAAB5BBD20C17AB678CB,SHA256=EBC58F4B938E4E66577FF940F6B258C278D17F6B31ED69EDC929B1F1043FE5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324683Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:51.214{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ECC20C0C44B7BE2B7A1C8F7613B434,SHA256=0BCAC07C44166CCE19CDB3C987A496CF75989E7621E44E7B5F789B76DC3C60E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371531Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:52.754{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50E12BD58E4DB0285D9017892C9B068,SHA256=2FC14E27734519DB95BE2AD2AE89CC73EB0EFDB193296AE30237AAACD6BF7E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324685Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:52.245{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0247B8A6A4799A3088587D44524762FF,SHA256=67FAD92EC67F9FFD75C3E0B4F213CD3209C463F207B99260CE9C2D894ED19E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371533Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:53.755{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E6CE80764F92D893A5CEBE432F4348,SHA256=36BB91279A1A61BBCD37658AC7996F7374AFE63FA69BA3720E7F121FBDC8E993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324686Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:53.276{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50874DD2810E49E22559501AD4A46ECB,SHA256=C6879A7AFA4808441343D3D7F7227ABCEB028141E68855C3FA80589ADBE95247,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000371532Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:09:53.301{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e4-0x97023ec8) 23542300x8000000000000000371535Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:54.832{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1866EE32227C1B00D3A712F42F6F7F0C,SHA256=14A1D07FEDCF7FAD020945667D5F420AD06E47CBFEA25BEA85D0558256005FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324687Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:54.276{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD94DA387B0D515C961891EAB6F569E9,SHA256=F8921B7F61466BE9C662E4C74BB4BF8624A9081971C65B6E3D1642654D0875D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371534Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:51.140{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371536Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:55.848{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1070B6804E986EBABA6C95B7CC4D7529,SHA256=2B4CF970C9F44641A3A30A3D31F3BD9EB6E1D8B217B20CC2FAFC3BBF8180CE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324689Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:53.850{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50058-false10.0.1.12-8000- 23542300x8000000000000000324688Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:55.276{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717CF6E92A24CD695A807301AF933784,SHA256=AC79D1DEF4CC51989CBFDEF8488F4D92459FA1145DC7D585B544870B26389422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371537Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:56.864{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7780114F4F1AB36734DC97803B9F4F69,SHA256=F408B35EF3CEFFD7ABA34816FE0E28EFED553B17655139CFF86A4F1C6953B177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324690Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:56.276{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F0DBD36E32FF2BBB9E362330B27531,SHA256=9EF914B0F56E44F3936CE2A467BA6C5602B93308E893C63A49715C7F9BF94B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371538Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:57.864{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15507CC5E01E78592C25C5BA999B2393,SHA256=5FDFF113AD1E3210CBCD361D9EC5AD12C59492432E2AB04F0ED25DEFDA4F2916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324691Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:57.276{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B66441A9C4CDF71AABEB1A9A919EDA9,SHA256=2AEAFE9E7CE0B633911F47177D0AF3E949FCA6FB0E640C4B7E384E037D050245,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371540Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:56.203{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371539Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:58.864{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA2DFA5CBA22B773EC2C11BE5748406,SHA256=01793A2AE122A474E87410862F10E4E4C50C16D94F8D487806C698D942BA96F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324692Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:58.292{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB99A25945E5B4D9E73E2CCD35743631,SHA256=A00BB8FEBE8BDDCE946F46951C817EE7D1A55776A024108902A75ED81CC14929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371541Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:09:59.888{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415A5533D0A61A56ED0142F9B34B6B0B,SHA256=EE88B1E928F76049E8E0308905318CB6B9BE3D405ED48A9346D1B65BD3E872E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324693Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:59.292{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4F87E242DE7133481F7FDF92020C41,SHA256=E3A4C95664C6FFD170743DCDA173423FDFF803BD2D0DEBD29819E4AEE65AB07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371542Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:00.888{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8745EDA29B6236EFBB152F1BE3E342B5,SHA256=78421DD1253A94E234EC9E3B43B27669CDC850D5F783A9884913F16ECEDDE689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324694Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:00.316{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88578EF6DFD5E04AA07902C0ACA66CF4,SHA256=7DC6EADB2339FEA0908FDF25C0D64F29F28F70222A56E7DFF1B95DA239C4267E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371543Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:01.903{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3594BC0D335A5164ED5092D8D7A364,SHA256=608D6BB9E6378F1EB0D94BD09F6A8F36FFF94866EDA622D42EDD6EF9AB854269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324695Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:01.316{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B597E5D03DD0F140070D65E9C000AA2E,SHA256=0ADCC1D902AA93C779F0D9CB335C963A03FD1EA72D3B447424E4A7CDA389DDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371544Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:02.903{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16633483E4F53E57D1DAB13160940EE4,SHA256=46E577718F01AFB13CED1F3E55F34F2AA84AF5C1AA62647BDD5B2D44DDA0A6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324697Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:02.331{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF70655222362C46E553868706F5A466,SHA256=D98AC576DD31A19CA0C35EC6CF35D14DACD71F9E7C81455C57C00C93D923C755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324696Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:09:59.843{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50059-false10.0.1.12-8000- 23542300x8000000000000000371545Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:03.966{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029A3E3FCAD134B166022CB06046497D,SHA256=2FB4773B82C1D74B6226AC500213ACB97BA30526CC831E9B73B2A6BD215AFE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324698Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:03.347{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2FE922A18870279F185BDCAC1F049,SHA256=965F7DFDDE37B9A716BEC31687E48DE0F74D7E545B494F5D2D455CD96414A303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371557Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.981{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D052F35BFE0B45AF632FA52B3D40A664,SHA256=9DC317217DE20C7BE13B4BA3D4FF743FE892052757FD3F8F2B3A90C535C8F864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324699Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:04.363{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297E24904D4EE17B142B1CF2DA78C28B,SHA256=10AC6F219CF2F182D0BC8D4995771CA7DF5F7BEB26B42ADFF84855D8EA70BA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371556Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D944752A9005441D41F1621BE4B5C388,SHA256=758A1609A32C812FC536FD34A9EF8A6D12F1C0C7975380D72003AAACFA5EED8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371555Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB6BFE9BF46B134457DF1A7C489066D,SHA256=C4B917AA42852B43A3CFA8678B4CB00DFFF36038649DAB1D78D94A0584B930B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371554Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.419{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60FC-619F-9001-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371553Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371552Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371551Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371550Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.419{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371549Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.419{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-60FC-619F-9001-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371548Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.419{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60FC-619F-9001-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371547Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:04.420{27B459FE-60FC-619F-9001-000000000F02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000371546Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:01.226{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000324700Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:05.363{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BADE197DE7FECFB473C1B7B322731E,SHA256=EEA26648F3FEA2348214C2255C9E48219D3499D003F4D4E7EB62908BBF07B0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371568Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.700{27B459FE-60FD-619F-9101-000000000F02}53562136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371567Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.310{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60FD-619F-9101-000000000F02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371566Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.310{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371565Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.310{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371564Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.310{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371563Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.310{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371562Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.310{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-60FD-619F-9101-000000000F02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371561Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.310{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60FD-619F-9101-000000000F02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371560Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:05.311{27B459FE-60FD-619F-9101-000000000F02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000371559Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:02.680{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58972-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000371558Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:02.680{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58972-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000324701Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:06.378{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DD86D42E6A0BFC6CA76935583A8A1F,SHA256=0CF3B6FF4E4A316D601FA42D87226A33AEDF20C84A7F189DD969ED251D91B2F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371578Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-60FE-619F-9201-000000000F02}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371577Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371576Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371575Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371574Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371573Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-60FE-619F-9201-000000000F02}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371572Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-60FE-619F-9201-000000000F02}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371571Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.435{27B459FE-60FE-619F-9201-000000000F02}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371570Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.325{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D944752A9005441D41F1621BE4B5C388,SHA256=758A1609A32C812FC536FD34A9EF8A6D12F1C0C7975380D72003AAACFA5EED8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371569Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:06.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6AEAF1668E820FA1453ED657924346,SHA256=23C2B8A1066507A066FE8E72C4845AA865A57AB2D10740037DCBA62635B96B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324702Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:07.378{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CBE370513FA976034CF4B4E52E3026,SHA256=417ACC5E2F810BB68CF44A76DF9A6BB41B829D76CEABB385692606311ECC2D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371580Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:07.544{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E457F83C5CD23476EB3A2F408BA89DB,SHA256=8AC0869B9C4097C58C375B9C195AF9254919CF1EC8000F065CF183DA0041BF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371579Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:07.138{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC69DA723525057560025CEDA1E5AD1,SHA256=B75C8B91E21D766303A890834F1E88A5FA8CA5C93AD9258BAF52B4EAF6688BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324704Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:08.378{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F15EE71451A378A77888CE0D1E8B3B0,SHA256=BD0007DE689280B9BE618F2FFF3F63A8EE31CCE21465011AB3D8B3D4C12EFD52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371590Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.716{27B459FE-6100-619F-9301-000000000F02}49925988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371589Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.528{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6100-619F-9301-000000000F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371588Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.528{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371587Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.528{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371586Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.528{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371585Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.528{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371584Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.528{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6100-619F-9301-000000000F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371583Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.528{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6100-619F-9301-000000000F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371582Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.529{27B459FE-6100-619F-9301-000000000F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371581Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:08.185{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811DFAB81E087910F761E6A6F8643470,SHA256=B61FBD657A5012DCC56B3BE9CC01EB9F2F3A770FC3CB6F0D2DAF79DFD87D8CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324703Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:05.655{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50060-false10.0.1.12-8000- 10341000x8000000000000000371609Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.872{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6101-619F-9501-000000000F02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371608Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.872{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371607Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.872{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371606Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.872{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371605Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.872{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371604Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.872{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6101-619F-9501-000000000F02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371603Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.872{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6101-619F-9501-000000000F02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371602Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.873{27B459FE-6101-619F-9501-000000000F02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371601Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.544{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAD0A86ECA9A7C3E3D5E558C48449C0F,SHA256=A08D3944962F0109C06B8500ED2CCEDFF587BF42E0E1828FDB5741E9BF427ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371600Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.403{27B459FE-6101-619F-9401-000000000F02}21206012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371599Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E10A5D87F8A87A1F73F4845ACD1F32F,SHA256=39FF24B87C735CD37664EB372108C80186EB2D71692020E9745032A38655A00F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371598Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6101-619F-9401-000000000F02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371597Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371596Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371595Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371594Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-6101-619F-9401-000000000F02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371593Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371592Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.200{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6101-619F-9401-000000000F02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371591Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:09.201{27B459FE-6101-619F-9401-000000000F02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324705Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:09.378{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3360025DA0DC21FBE9F5D1923B0C4897,SHA256=068B013F5BBBD90B6E9B39B50E005C2096F371AD4689A6F163E6FCF12246F76D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324707Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:10.758{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-025MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324706Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:10.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736C92A0017ABD5E51D3395E1893A224,SHA256=4A159E105D28DEBBDFACC6A7873E91A52A201356DDD2F96DB49142AA29DE54EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371613Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:10.872{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2797AD2739BFBAD6FD7764B53C641166,SHA256=E64C935C2CAC8D3A59DB0CEF1089590C6E912F76EE70BD51E22962F9B1508E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371612Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:10.372{27B459FE-6101-619F-9501-000000000F02}3392892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371611Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:10.233{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87B13F3A08CE4B70CC9451DDCEA607D,SHA256=4E00BF036C1D65290FD58A44EE74634E4C9CA470AC065B8F7F353D949850DA4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371610Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:07.195{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371614Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:11.466{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA123D98D5774D019627E06A46987A4C,SHA256=012E32E61B0F4ACD75CE4C3BEBD157BE273C1BAFFCD1BDB5A3DF4A87F7C003A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324709Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:11.757{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324708Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:11.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5275E7BDE0D306DD8FB0C51AB1C89D19,SHA256=98AC1617CF06EC20578241BE3195FCA847E8D1498EDF7207CA9FA6B9CAAAF901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324710Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:12.397{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD843D20EFB6C8398D172D60EA6E504F,SHA256=51BE52CABA835AA1372E44E50348BB09A245A99AF288BBEAE83315E2C67A1D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371623Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.482{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B85F5E5741DBAD4D0E859C471097AF,SHA256=BD605346613E279B0815FBAC13DE685B7A3E354A63B8766EA1A9BBF997D8A164,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371622Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.122{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6104-619F-9601-000000000F02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371621Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.122{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371620Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.122{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371619Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.122{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371618Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.122{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371617Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.122{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-6104-619F-9601-000000000F02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371616Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.122{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6104-619F-9601-000000000F02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371615Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:12.123{27B459FE-6104-619F-9601-000000000F02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000324712Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:11.658{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50061-false10.0.1.12-8000- 23542300x8000000000000000324711Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:13.413{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C649F6F36B2EED0073949AECA449393,SHA256=FE4D41E42297EB87CCE4E391564B065D03D25D06B514A6F0EDB8D7635F525CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371625Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:13.482{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117E83376EF9D9F368D34145FA606D47,SHA256=E30503B682747E939D9C5146B935DF05964AEDB6D647D93084573CE04C9948CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371624Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:13.122{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312631514DB5D1337E354F298DA77722,SHA256=A8A0A962A73FEA7F215885F92FADA3360D50FC4CC3DABC7EC11E4E399B00C8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324713Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:14.413{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F6EDC99F67A6E0B4DB9C1B01DA7FF2,SHA256=E32EF198922B56E1A31933B330DD7BB10C5BF1D8A9430A1B182997F4FD9FB520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371627Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:14.810{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371626Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:14.482{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E96C275C3107BD6C9DC9CE38AD4E613,SHA256=D47AEE6B140E8E45D56AA72148DAF5C34871B85919E08F35CF671101B3D892E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371628Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:15.544{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F598125B4CE9B8776088E5E24E245AB8,SHA256=39FB3014F156AAAD1D1BC255157DC6CAE23A84AFFBA9F15880383D1E724B41EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324714Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:15.413{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA1D14815CCA734FDB8B051D2006411,SHA256=0652FD85442717CFAD26326CE5FBBF0ADBC66F72708B311F30DA0EE916BDB141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371631Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:16.544{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B10434ED211C8079949DE81316FAF9,SHA256=FB78FD07F9BE1733355F0FE45AD7E60F9F461C47523E563B050B109F50679261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324715Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:16.429{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743C075E69D36B3D8FD9EEF82181C8E1,SHA256=2F21374B2585EE6544E6246E1C783F82065C4039CD9AFDA9ABE0CE208B554A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371630Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:13.836{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000371629Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:13.164{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000324716Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:17.429{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2003832D494F156FABDB2D6420326757,SHA256=F6215387FB6F927B6AE362BAF1F13A3785C84366831A1802F1162F953CF48803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371632Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:17.576{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4908ADF69E3F41270D9C5E5A3E12E7FF,SHA256=461B10B89F0A944D92FBC0DBD68E6EEB85EA91B8AB66DEEF36A9471A8BC93C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324717Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:18.444{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C00513C1B051939B533543A9BCC883,SHA256=39BC203BF7CD6BA116AB5D7459A2A0779BDF35C9935F25D1AA2F9064497EEA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371633Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:18.591{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877E4FF3CCA5B6B2417098CAE3B56018,SHA256=5EF70F41A4B08411BC219C0EBFC41FE2FD1704BA09D96401AC2A948725DD02E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371634Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:19.591{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F889A38258BC33DFB2355C9CDEF2AB,SHA256=86CB422EE40C2A36785372EFBFE4FBF35E0D4F40BFF73A4F0ED63143AC23E139,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000324719Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:10:19.507{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e4-0xa6a0ddaa) 23542300x8000000000000000324718Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:19.475{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A6E823DCC5AEA531ECE7071B9DA847,SHA256=FCC37C2DDDB76EB788EF971616D074D2F70DD5E60CC6933C6D8528277481EC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371635Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:20.607{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4CF7340065D13A6394B079C9DB3E51,SHA256=CA34E158D085F475F59113F12F3D2CE162ED3AFACFC06C685AED12A6F6CD7C4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324721Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:17.659{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50062-false10.0.1.12-8000- 23542300x8000000000000000324720Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:20.487{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F4EA1172486D3D44B75A8C68D7820A,SHA256=E4D3ED936D751D5807B2A9359548FBB5466DA0B4CCC0AF1C984630C5C7C19E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324722Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:21.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC38CAE851730CE19781A632712147F,SHA256=7487CE26D9D6D6FB704EFC5904739718D3633DA69D54C66207A21F5C1405F10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371637Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:21.607{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9386E8A50DC8913A01E37017FCF79403,SHA256=D1A797BE75F507A22D84723B52FF1B7F5F6C3364924B838D940E19C873F32ED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371636Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:19.133{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000324723Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:22.548{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2535CEF6141303ECE338CF8BE8A47E89,SHA256=44EBA8155D02B0741A32AEC275F50A6BAD10B300D0B4C9A2F260E62C0C5AEDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371638Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:22.607{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049B3BB37F94E88035F432E629150918,SHA256=E05B56346F0DBC794EFE7C276A08C98E67C0F548ECC4943DBF63752701255ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324724Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:23.564{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30F8797C2C99E1F5675908390B1C203,SHA256=CAB7A5B5D9D5B1F79DD08B5EA2165440F443A40F24EA102D85F62BDAA92170E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371639Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:23.638{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE32CEC4F51C3935C0426209846C521A,SHA256=A55B752E153D944018B1111F79C7ECD39E2A2DEEDB3BEFC7B23EFD56C854A4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371640Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:24.669{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F013D648C5E35DE35AC33DE555B159,SHA256=00D3B40B736C365E97CC6962550DD576484739DA91B331C5CC629271CEEEF75E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324726Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:22.750{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50063-false10.0.1.12-8000- 23542300x8000000000000000324725Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:24.564{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC43BBF213DACD017BA643DAD036B126,SHA256=63B6CC18E4F8C0518D22A6F814463FCFD86B440D3629C0AC01398A50B347631B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324727Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:25.564{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8853D94EBF64898C639DC38EF922C1C,SHA256=B8AA7EAEDD1CA7B148D411AB333DCD8663A1A9D4AFFBCDD219EFAE4960A9C7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371641Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:25.685{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8810C3FEE51E0455B4AB514708E684D,SHA256=6464BD0235BF6DEC374F917CCDB1B3B9E2B8C474093CA4A05B2B83305B87A44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324728Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:26.564{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7C15A8B803F44AD9BDF41886943D99,SHA256=219EAF1AA477D3C28BD3791A9186AF08F90834F7D13C415D9D527A8BD3272D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371642Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:26.685{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04357D54A3946D0EAA3F0CFA1954A0C9,SHA256=60B42B804D92DBBAAA033CC308B8A091A13952D330EAB4812E267B230292B639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324729Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:27.563{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80C0DC6841C50A465762CE5E7CEA998,SHA256=E9E1973A45AC39D65BDA1BD2F3FA3F531C59E1AD015ED014C499EA1426471770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371644Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:27.716{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB33C5D124EDE83E1E10220A77B38D6,SHA256=91117EE8F0C7D00D3233E4761B57F94B27B5769F79EE5F500B02B6F3FFD32DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371643Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:24.289{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371645Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:28.752{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA60B775F3B505FDBD2377FDE02AA3FE,SHA256=D884A59317FB842080ADCF4AD01621930CD157C47ACD438E65DFFF417B0382EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324730Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:28.579{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC443DC340818321D40C4EE16D3B88D9,SHA256=108700921FB00ECBFC996CAC0AD43B4B5517AC09230525C292EA09EFC18ED66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371646Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:29.763{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB59780DD73C5F3451D1597D01B26085,SHA256=36711BF1D8BA596F67E7F1CB7FFA92E74AE39CE3B29739646BAB8E564BCAD9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324732Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:29.610{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450D43EF53A78406EBC738CABF7D75D5,SHA256=DDA7AFD92A26D0FD3F03BE0A0E3C75AEDA7819D24F32ACB94E9F5468CC0C5970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324731Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:29.392{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7808CD7C1EC1950C0DBD7628C1A53CB1,SHA256=032CC074DC2AFC48361ACD230157C0BB54B9CCC8A5AC9B18643BABF72D667BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324734Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:30.610{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC465B5CFBDE31A127FE7D912ACB3F1,SHA256=75EB6C8AC3CB1FBA2F0E28A41BE4A712A1D04ED04BF53AB45C6CABB7C4ED21A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371648Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:30.861{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-025MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371647Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:30.797{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084F6EFE04F566832ADE0292E7F6691F,SHA256=B494C41B795C063D7CE9EAAA351E422EA7FD12158E8CF8B8C30EDFA8EA3D6F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324733Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:30.345{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324736Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:28.721{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50064-false10.0.1.12-8000- 23542300x8000000000000000324735Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:31.610{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3092870F51834F5566787FCC94B68F,SHA256=37ED336E82AA214D12A73B2ED2B87A168D218010605F89DB5E3380040C2A0A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371650Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:31.876{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371649Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:31.827{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D39F6647A00CC97F3345542163B764,SHA256=95EA57CB47829BBCA6FC843DB39CF004B6A9086211E47E7381D2352B9EF65D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371652Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:32.845{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1799694B812E7D39F0C4F9BEA9E249E5,SHA256=809939AF1D885E4D998334F2E31C1C3989D9CA309D8F00E666D64FA2D5D5355E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324741Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:29.925{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50065-false10.0.1.12-8089- 23542300x8000000000000000324740Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:32.845{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F59A705DDAB99031E702CCE2EEBF892,SHA256=1E2638A45599E19BB2EAE8A3979D6727AFFD418E1C66C6AE379A51D0CC9D2141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324739Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:32.063{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324738Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:32.063{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324737Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:32.063{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC0-619F-1600-000000001002}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000371651Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:30.088{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371653Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:33.876{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718A164CF63563C8F75C294E57D2916C,SHA256=6EC189F81D2E96B29DE82C3FBCF58533324ACBD7A87999C65D4543BC3267CE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324742Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:33.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB50ED06CE63A5D98061DB6E2ADC2E88,SHA256=9FD1002A64AE1024453BAFEAC0C74728E6611E22D0A1B969E21B87D183B70A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324743Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:34.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174CFB41FDB400B18FD6772801AB029E,SHA256=85A7855EA5338481869A25E9931E016CEA866B941FCFD3B8B8628CBB1782B2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371654Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:34.470{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=65095B766A14F9B1547F5DBB50CBC83C,SHA256=1F8751F25FD8A60820933F45B78356D54EB75354280B70ED51C986FBB5E5FED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324745Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:35.907{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F2223826778F7666E099962393E917,SHA256=366FD3E61938D16FD7E3A6F72EC37259F898CE04900CD9AE8E2B7A4BBE30301E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371655Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:35.033{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7DD73B2E9FB1936C42D44BF125EADF,SHA256=4494B2009907621DF6FE31180E5BBAFE3BF362A27DFD2F5606D6AA7841AC9CF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324744Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:33.802{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50066-false10.0.1.12-8000- 23542300x8000000000000000324746Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:36.907{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5D95C9EBD34E01C6206E0F61E580E5,SHA256=5F09E8D312098067A6AADF9ADFB3275D297310DDC94C9E04090BDE83EA69F4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371656Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:36.033{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0F6BCD7281E5A1D3563B3BEB3427A3,SHA256=D02C0C1E2BFF3A39EBBA5B76F584FD3B5FFE1CA9EDB7683A058C0DFA57882D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324747Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:37.907{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CFC0A7337C99FF8C6785CF6435A9EF,SHA256=DD6849BEDAFC027D1765FED311D54C4A95788D81C09FABAF7CE5164A230F1606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371657Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:37.033{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB920D40D7DD89BF5F3D09EA75F8CBA7,SHA256=68DD449F2B7ED7F0E90BA92673A66529121D9C4C18FFB225FB884109E50243F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324748Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:38.907{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6247BDC94A190F888FED338CFC8444C,SHA256=D4E32C95A5A318CA97F8748F961491718C878EC0576C865AB464371065CDF378,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371659Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:36.074{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371658Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:38.267{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434197A4204AA5D8BC788ECF4B85DF1A,SHA256=BF9BCD13F9AEC4D19DBA2B1C89EF338347790AEAA15CBBBEA6DE8C5FAD63C890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324749Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:39.931{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A7E41A63183E8257F1E1A9EA2E05C5,SHA256=75CCB0C1935417295E6BED7E683FB182C8D0D11B3DD2D9923366F9FC34BA8CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371660Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:39.330{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2977078AD9303629CB0EFBB000D5D26E,SHA256=EAF24C3FCB70C4B6FFAF1925179F9F120F3583E4F8F62E7EB01D1B6FCE671AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324750Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:40.931{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8CEFB429DD62149825E9578DDD5E5E,SHA256=391BE69BCD95E3B8E63DADBFA876D8A0D60B5CDAFD8633FEB788ABE00051BDB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371661Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:40.343{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C00A90C99D62E009B0CD1A36147B49,SHA256=48BF400D5C2068E394AADFFFAACA3DF4B62C9BC55CEEA0EACE37D73C58FBFCD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324752Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:41.962{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45077A24B10476760EE9A22AB33E8EF,SHA256=1FC4159419785638CEB75AFCF7FDDF9F258F33F3CFA9FC5DCDE8EC8BD6693749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371662Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:41.358{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5750735822E4F226B35D3BD4F2528E0F,SHA256=27E0CFEAEDE221D30A44CCFEE9217FD8794D35F1F569D7733CE5EFDD8AA9CEE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324751Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:38.836{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50067-false10.0.1.12-8000- 23542300x8000000000000000324753Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:42.963{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB25C2234D4B1E21917AE3B5524796A8,SHA256=24E8D30F85D6050AC004E1C72CEA3E43FC0E5A484C095734AB88121B6D1FF3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371663Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:42.390{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC040DC921180902D9EF2812CAD9246,SHA256=8EFC207A3F1986DFBEE7272756F8CF950B3C8F8A3E16EB7B2BFA35A2F991117D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324767Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.978{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F8C5E9059676F7677900DF4CDC67B4,SHA256=28E8536089F27A90B737B099D1DB39FA527D048FE895327A384FD9A0744DF035,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371665Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:41.212{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371664Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:43.390{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C139138A3778AB492543A1B4505B0D,SHA256=E0807C29640B86F8E75B02C26A3EEACC62DF60DAF0AB0FC80B0EDFAF5C5BBEF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324766Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6123-619F-5201-000000001002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324765Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324764Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324763Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324762Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324761Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324760Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324759Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324758Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324757Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324756Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6123-619F-5201-000000001002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324755Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.509{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6123-619F-5201-000000001002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324754Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:43.511{99D2EDAA-6123-619F-5201-000000001002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371666Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:44.405{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67DF0030DFAA2E671CD159BE7EE4931,SHA256=E44FD6595D1213E4C642E41803576E0727AB43C9617DB5E7CAC800312C58568C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324783Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.713{99D2EDAA-6124-619F-5301-000000001002}11083296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324782Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6124-619F-5301-000000001002}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324781Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324780Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324779Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324778Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324777Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324776Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324775Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324774Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324773Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324772Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6124-619F-5301-000000001002}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324771Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.525{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6124-619F-5301-000000001002}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324770Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.526{99D2EDAA-6124-619F-5301-000000001002}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324769Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.510{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AEBEBB18A3F70C00F68D79E543A03CF,SHA256=D7DE222ABFDA9ECAB68AD9AB2056E1CC7C32AE450D7BBBF4B83FBE882098A273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324768Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.510{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F6CE9B3263846D3D9A64E9FC96AC99B,SHA256=706AA11FD78CCC8EA858DECE6E131451D71706045672B4E0A260E1389EE64585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371667Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:45.405{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E083DB33B2474AB948DD47F140F01F,SHA256=470004EE0B7D7E2B017A96028AEF89F8264E6D729D799F58BCC861732C1ABE01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324798Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6125-619F-5401-000000001002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324797Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324796Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324795Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324794Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324793Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324792Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324791Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324790Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324789Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324788Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-6125-619F-5401-000000001002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324787Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.775{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6125-619F-5401-000000001002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324786Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.777{99D2EDAA-6125-619F-5401-000000001002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324785Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.556{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AEBEBB18A3F70C00F68D79E543A03CF,SHA256=D7DE222ABFDA9ECAB68AD9AB2056E1CC7C32AE450D7BBBF4B83FBE882098A273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324784Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC48A48460D7ADB282094CB3815F843D,SHA256=655DF2BFD2A272CF3A5C183E7877483F491CF12D2BAB7156F32DF2DD810FBC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371668Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:46.421{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129EF5EDC5C5346C46CD6740577E23C6,SHA256=4809D5495F0CB78F09C1E9A213A21CEF74B02A335129D9DBF491FE11B8BFF1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324800Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:46.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ECAB270BB3E3985D604796FEB6295D4,SHA256=2689C82760AA0593FF2064479CEDB84AEA031C2469DAC6F9ECC85779C28C819E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324799Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:45.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D08118C83588EDEF65E0D490B1E99A1,SHA256=46AFAFC2AE8FCF25B4FA0E9E73CD8FFB6F59FC4E0E3C5BE9141F832E8A547BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371669Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:47.421{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391FC43B9D13FAEF2F45A52CEE35A06B,SHA256=DB8998F9813E6E517C8BFD24194E611AECC0B38A704FAB355A68EDA85905ED17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324816Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.473{99D2EDAA-6127-619F-5501-000000001002}11242464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000324815Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:44.847{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50068-false10.0.1.12-8000- 10341000x8000000000000000324814Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6127-619F-5501-000000001002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324813Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324812Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324811Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324810Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324809Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324808Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324807Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324806Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324805Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324804Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6127-619F-5501-000000001002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324803Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.228{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6127-619F-5501-000000001002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324802Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.229{99D2EDAA-6127-619F-5501-000000001002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324801Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:47.072{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18190478B2416236A0886B26BB35CC3,SHA256=39A59AC71FF279F6F033C0DACB5A11A63061E670D1B4729AAC378F5CB1A5985E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371670Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:48.421{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329B98BF1C22B4D40E2D55F8E56B0FDB,SHA256=803F862156AD82CCF5EFFFB37971078D6BCF519E2A67F0B3572118B9460BE9D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324832Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.759{99D2EDAA-6128-619F-5601-000000001002}884340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324831Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6128-619F-5601-000000001002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324830Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324829Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324828Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324827Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324826Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324825Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324824Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324823Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324822Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324821Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6128-619F-5601-000000001002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324820Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.602{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6128-619F-5601-000000001002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324819Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.603{99D2EDAA-6128-619F-5601-000000001002}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324818Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.259{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9941C2BFF2B555786C920E0099C8EE9,SHA256=BA04D7265822C167990136014BE1FBAA5249E452F83176ED9F7203E66CB6154B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324817Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:48.118{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB438318D575AEB26514B2043109D56,SHA256=F122C6F77B89D9CB25928EAEB4764728573411555098FC6DB448FABD122B1780,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371672Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:47.181{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371671Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:49.452{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22592E17791494CD5575029E9BEB6FD,SHA256=D2B2BD67E9C7FECD7A59BABE97B3083BCAC7772DCB58A8DDD1DE22E020FA4999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324848Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.649{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C17219245B6D0933EFAA582D089BF23D,SHA256=2DD9B4DF80CC4E45CFCD3C30655AAE7C274282D3A106A02A57053D6021D6F29C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324847Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.508{99D2EDAA-6129-619F-5701-000000001002}2496952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324846Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6129-619F-5701-000000001002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324845Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324844Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324843Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324842Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324841Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324840Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324839Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324838Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324837Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324836Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-6129-619F-5701-000000001002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324835Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.352{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6129-619F-5701-000000001002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324834Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.353{99D2EDAA-6129-619F-5701-000000001002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324833Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:49.165{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EFAFD0C363BF67BDC60678B19CB1DA,SHA256=9D5CF87F3223DDA25BDD94A649DB9D97FF8E26F94AF48CFD92E9F6D25EED51B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371675Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:50.452{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5F0F9743300997F61C5A27629E5259,SHA256=7ED95D4D8D5AC2D27F84DEE89AB629C61DC4DBC6EA25140DBE0D5EF7575243B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324862Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-612A-619F-5801-000000001002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324861Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324860Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324859Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324858Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324857Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324856Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324855Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324854Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324853Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324852Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-612A-619F-5801-000000001002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324851Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.555{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-612A-619F-5801-000000001002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324850Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.556{99D2EDAA-612A-619F-5801-000000001002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324849Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.180{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC2495C9F736C3FE70C1C71ACC3497D,SHA256=E38C87FFE09E6E2899E39A7938494A0BA5CBEF91FC5916CEF3C3C030537F3D3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371674Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:50.280{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371673Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:50.280{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5F48-619F-5D01-000000000F02}5868C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371676Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:51.468{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE7EA0D1C57F351438E2C64CAE4BA84,SHA256=D3E1BC76855F09CDA84FD0CCB593C3E32BD1B8086A51E34BAAEE1A7BAA898D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324864Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:51.773{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A3A4D0AB5F442DFA642AADEE093DD03,SHA256=796DC0A13C5E4DBC62E7FCE41032B201F2635C33682F7ECA48B8B250F9B63D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324863Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:51.273{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3EE905FAA6A3DB78456AC970F6AF5A,SHA256=FB7908EB6ABD15330280E479716631DD6FA1339B818CAD5C34E89954C02FBAC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371680Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:52.952{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371679Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:52.952{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371678Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:52.952{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1500-000000000F02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371677Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:52.468{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441381D94FCAADAC8C1B69757BE888A5,SHA256=D76EB17B356F4B04DF17FF952EDBCA430CB2D6F62DC3688169AFAB9741BB2761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324865Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:52.289{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09ABDCF92C9471092222862F279D717,SHA256=9617BFF37453BEA94ABCD974B8DE1AD6B4C5DEFAB8BE4D298F782E8966AC0448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371681Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:53.484{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73929AABFFB418263F9AB062FF683657,SHA256=499785EAFB5F1A1A525EBF526A7ADB7E878BB0AFC65F80CF745504FD62BFB7FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324867Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:50.754{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50069-false10.0.1.12-8000- 23542300x8000000000000000324866Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:53.288{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF9E36EC8E65C076CC7AF574F92EBA9,SHA256=BDE2F6A72036C02E3245612B82AB3408BDB63B6D41E85E13A7B5E51BA1ABB7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371682Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:54.499{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C151B65B8DBADF23CFB00FFCF8F793,SHA256=726CF30139EE48AB9DFC1077C83862B0D568EBFBB68829AB8CCBE55B996B745D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324868Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:54.319{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D95FFD2A60CC2EDAC66D6959F9ABC4,SHA256=C211D4D5B4B970D2374B194BD7B371BC7ED4537F4E46F607E7F87250BC215681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371683Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:55.515{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4512EDCDAEAEFA28703BC60923A733,SHA256=D374274E2552EDA2992C37A22BF8D3636BE34325544DDD481E1910C1C2E8E048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324869Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:55.335{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707183AE2686D8F6F0D4AF1E218DAEF0,SHA256=495B4BC847F4AE9EF870EF5C2B5FD584B3AC758FFDB0E90CD70BC0FCD2CB51BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371685Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:56.531{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A932B8D232673AC630E14BE128B952,SHA256=E5F83FA36DB73763E2C2C321C8734000724ADBCC00C65D810E6555F5918F1745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324870Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:56.381{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CC96B921F1D63019D8AA7F288D31D8,SHA256=8B3612E4600CC3CC75853CC8215494657FC2C54B0A30F51EAD913792D022163F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371684Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:53.134{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000371686Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:57.624{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C44561567A503A4D8B46386706C36B,SHA256=4E0EA8481F2B1C500F8DE47B0272D0E4AA37CD88747D56F365F96C5F75268F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324871Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:57.443{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DE2E08A8C9FEC2717133650775D712,SHA256=B4A51FC51EC14305D5407AE137E38E7AA55A716BA8B46DEDD78BC77A3A27F148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371694Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.624{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA098057E82391AC25909F9F6C7A926,SHA256=B43E7F995C0C850FBD486E990FB6D5EE0CD4449973C817B1CDEC9806EA0D8A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324872Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:58.443{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ACAE172783FD42FBA76FADBB6A57A6,SHA256=EA7F5C9624D1E1B00509EFEED21653EDFAE8F0F01942F12FD471C49F83E0945A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371693Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.515{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371692Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.515{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371691Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.515{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4C01-000000000F02}5596C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371690Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.515{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371689Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.515{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371688Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.515{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371687Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.515{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5EE2-619F-4D01-000000000F02}5176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000324874Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:56.801{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50070-false10.0.1.12-8000- 23542300x8000000000000000324873Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:10:59.536{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C9C860534B7E2081435047B313485F,SHA256=D933EBAE37A07CAD7259E587F681EEF71D26DF1F783EA030ECB602FD8B36A673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371695Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:59.640{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C42AC44F621FA6DC852702C8DBE79B,SHA256=1F6F5B8420E0017A31F433FDC1ECD47C4A07C7EDD11B2440B224EDA1787A34FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324875Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:00.662{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B37D9877C8D2BD93269A89AD64ECAF9,SHA256=DC3A526819A1DCF5854DE0443337625EBC9D0406BC006CCAC23A2D4CB4966477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371696Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:00.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DBE6E90CCDF6083A32269B9FABCF79,SHA256=C5905C620CA2504DB9AE363A7C5060B7D99B88145085D4AF5830B1C070598A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371699Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:01.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CE641436B73491E1B277BC727D0314,SHA256=381FF41FFF6E08D4159FADFEC453704B4177003ADF393725F2352D36D3C06D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324876Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:01.677{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D908F4794FAEE7F37991A32DC67FF91,SHA256=1B65339B42D215DA0885C81355554966C236623B12AD235421996E2785029DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371698Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:01.410{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EF0156711D74BC6A4B28F84636100891,SHA256=BAE43E7B83C473E8744D2196F8EB1BF15D911A7BD7372BCCB978AE841CBF0578,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000371697Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:10:58.150{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000324877Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:02.677{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B58A956C53A83FB5275DF47432DCAF,SHA256=F4196417C62DDCF57CFF9D9956594EE50655D5632A4EE104F53AB166E8FD1B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371700Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:02.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1605FEC1E9EF2187FABA32D3BEC2FBD,SHA256=36EE3DF50B378905E594B470287D09434927BEDDB882373C9F3F6D63695A1992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324878Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:03.708{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329C9D5C41D7F64BE0E41C862C71D4CD,SHA256=35FA3C5BC7DFCA73940DC4556EA992D2B8430124A4B275EABB8D1FA3C023F431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371701Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:03.645{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00F5F7E16B76E0B59CB37634F19071C,SHA256=BEE767487E24BB35EA6F2035B3D81214769EEAEFF0CBAC02F1851EB49E95D077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324880Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:04.723{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C72FA62E8553B232A3F7A050E4B309E,SHA256=8A83EFA444476FBB13A094FA7F5957BE38D5F7D64D7D092415D91B408A956FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371712Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.676{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0A4C2CBC510FBF4EF7935BA069DACA,SHA256=06E85913721A2037A6AAAC47417554BD580670BD7401535D42A6570166C2AA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371711Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.661{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=798C5B85D13D1C3FADA7FBC15B19B907,SHA256=9D6262C3B445CDD388B74935AF881790611E258684401515848F03C88B59660A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371710Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.661{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78DE9FE1B2B09B4D09356F276F3FAA0E,SHA256=684C47DAC202AF26F5A32BC8426ABB7E4D4906ACF775CE81B5F307B61E73EE52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324879Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:01.818{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50071-false10.0.1.12-8000- 10341000x8000000000000000371709Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.426{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6138-619F-9701-000000000F02}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371708Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371707Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371706Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371705Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371704Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.426{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6138-619F-9701-000000000F02}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371703Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.426{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6138-619F-9701-000000000F02}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371702Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:04.427{27B459FE-6138-619F-9701-000000000F02}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371724Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.754{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0685314B2A116FC0479F42E5665626,SHA256=1038B0898ED2914C3ADFF527AD1C00CB5370AD23E4BA98F30F75DE281888AEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324881Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:05.739{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DCB24313B86E562ADA304D78AAC583,SHA256=904CDBA0FB5250264FF5AEAD02FF82C9A1AB19EDA7DA938182EF9544D56D0F79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371723Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.504{27B459FE-6139-619F-9801-000000000F02}40321280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371722Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.301{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6139-619F-9801-000000000F02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371721Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.301{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371720Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.301{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371719Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.301{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371718Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.301{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371717Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.301{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6139-619F-9801-000000000F02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371716Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.301{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6139-619F-9801-000000000F02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371715Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:05.302{27B459FE-6139-619F-9801-000000000F02}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000371714Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:02.686{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58984-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000371713Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:02.686{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58984-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 10341000x8000000000000000371742Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.989{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371741Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.989{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371740Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.989{27B459FE-5C01-619F-A300-000000000F02}13442476C:\Windows\system32\csrss.exe{27B459FE-613A-619F-9A01-000000000F02}4680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371739Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.989{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371738Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.989{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371737Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.989{27B459FE-5C05-619F-B200-000000000F02}47483292C:\Windows\Explorer.EXE{27B459FE-613A-619F-9A01-000000000F02}4680C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\windows.storage.dll+15922|C:\Windows\System32\windows.storage.dll+15619|C:\Windows\System32\windows.storage.dll+154ef|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000371736Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.986{27B459FE-613A-619F-9A01-000000000F02}4680C:\Program Files\Mozilla Firefox\firefox.exe94.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=B7A783B6E7C1E3D42CBD21294B1F53D0,SHA256=FA022774AD52430FBC203B38B9A395BA0CEF61A121A330F917754DBA316D4C93,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000371735Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.770{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC34DC83C6170350D867A8218472ADEB,SHA256=43804B56E90B5C55389AF869EA4CBFBD5786E4F2C7B648CC755D2769E40ACC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324882Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:06.738{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E113EDA2AAB93C416E3C8B3B00749E9D,SHA256=23D08613BFABD3D543C0BE5D1AF0786457A82E0A999BB4D0023FE2D15BEF8019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371734Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.457{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=798C5B85D13D1C3FADA7FBC15B19B907,SHA256=9D6262C3B445CDD388B74935AF881790611E258684401515848F03C88B59660A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371733Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.426{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-613A-619F-9901-000000000F02}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371732Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371731Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371730Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371729Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.426{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371728Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.426{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-613A-619F-9901-000000000F02}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371727Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.426{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-613A-619F-9901-000000000F02}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371726Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.427{27B459FE-613A-619F-9901-000000000F02}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000371725Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:03.202{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000324883Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:07.769{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9734F2F7C14A0B744963A12B9E3CA9AE,SHA256=B665C3AF936486404F9A7BE3629C53A20332598F4233E1F81250DBAACD672E22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371769Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.146{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371768Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.146{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371767Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.129{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371766Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.129{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371765Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371764Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371763Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371762Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371761Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371760Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371759Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371758Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.114{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371757Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.098{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371756Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.098{27B459FE-5AC5-619F-1600-000000000F02}12881736C:\Windows\System32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371755Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.098{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371754Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.098{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613A-619F-9A01-000000000F02}4680C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5f6|C:\Program Files\Mozilla Firefox\firefox.exe+99b9|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371753Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.036{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371752Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.036{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371751Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.036{27B459FE-5C01-619F-A300-000000000F02}13442476C:\Windows\system32\csrss.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371750Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.036{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371749Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.036{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371748Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.036{27B459FE-613A-619F-9A01-000000000F02}46801748C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ce05|C:\Program Files\Mozilla Firefox\firefox.exe+99b9|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371747Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.049{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe94.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2MediumMD5=B7A783B6E7C1E3D42CBD21294B1F53D0,SHA256=FA022774AD52430FBC203B38B9A395BA0CEF61A121A330F917754DBA316D4C93,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{27B459FE-613A-619F-9A01-000000000F02}4680C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000371746Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.036{27B459FE-613A-619F-9A01-000000000F02}46801748C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5f6|C:\Program Files\Mozilla Firefox\firefox.exe+99b9|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371745Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.004{27B459FE-5AC4-619F-1000-000000000F02}3801140C:\Windows\System32\svchost.exe{27B459FE-613A-619F-9A01-000000000F02}4680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371744Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:07.004{27B459FE-5AC4-619F-1000-000000000F02}3801140C:\Windows\System32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371743Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:06.989{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324884Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:08.769{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F74B8BDADE5E8543FCF9BBA06541B4,SHA256=C5CCD87C9437625915D6AD0677D205B4611C30BE80CEF967807D5A39A9AC2910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371780Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.786{27B459FE-613C-619F-9C01-000000000F02}56925752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371779Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.536{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-613C-619F-9C01-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371778Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.520{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-613C-619F-9C01-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371777Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.520{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371776Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.520{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371775Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.520{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371774Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.520{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371773Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.520{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-613C-619F-9C01-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371772Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.521{27B459FE-613C-619F-9C01-000000000F02}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371771Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.192{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE35F3AF02690288B0E276D2148F7EA,SHA256=154449AA465D6820A1789A684B492CF2DA0028E8DF751F7111EC135BC7A5A440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371770Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.067{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD05F5F141EC716C9616BCFA22D0CB85,SHA256=CC63F3A968F92D7F28264F4F82B4046AFE55CE728C996CE6662E86022BF20CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324886Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:09.800{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7867662864933F80150AE005ED771F,SHA256=FEAB9B92B027FF857601176F9C2CACF2CB6F5A3CC6B08453575748A0CC89ABC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324885Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:07.787{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50072-false10.0.1.12-8000- 10341000x8000000000000000371853Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.958{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371852Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.958{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371851Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:09.942{27B459FE-613D-619F-9E01-000000000F02}136\chrome.4556.2.20988430C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371850Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.942{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+1b23dc|C:\Program Files\Mozilla Firefox\xul.dll+9511c6|C:\Program Files\Mozilla Firefox\xul.dll+94baaf|C:\Program Files\Mozilla Firefox\xul.dll+194c219|C:\Program Files\Mozilla Firefox\xul.dll+194a907|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000371849Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:09.942{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.2.20988430C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371848Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.942{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371847Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:09.942{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.1.23114033C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371846Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.942{27B459FE-613B-619F-9B01-000000000F02}45564376C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12dedb|C:\Program Files\Mozilla Firefox\xul.dll+11937fd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371845Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:09.942{27B459FE-613B-619F-9B01-000000000F02}4556\gecko-crash-server-pipe.4556C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000371844Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.942{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D0CCAAD62EE880FB677076D1C4A1C9,SHA256=AEAAF9683689F24CC46D64AD3428182368BED5F317974B72665208853DCFCEC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371843Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.911{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+dc758e|C:\Program Files\Mozilla Firefox\xul.dll+dc1549|C:\Program Files\Mozilla Firefox\xul.dll+db3010|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde|C:\Program Files\Mozilla Firefox\xul.dll+168653b 10341000x8000000000000000371842Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.911{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+98db34|C:\Program Files\Mozilla Firefox\xul.dll+a139ee|C:\Program Files\Mozilla Firefox\xul.dll+db2fc0|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54 10341000x8000000000000000371841Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.911{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d 10341000x8000000000000000371840Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.911{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+db2cba|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde 10341000x8000000000000000371839Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.911{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+db2c31|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde|C:\Program Files\Mozilla Firefox\xul.dll+168653b|C:\Program Files\Mozilla Firefox\xul.dll+165af54 10341000x8000000000000000371838Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.911{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+bc375|C:\Program Files\Mozilla Firefox\xul.dll+db2908|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde|C:\Program Files\Mozilla Firefox\xul.dll+168653b 10341000x8000000000000000371837Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.911{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+94415f|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+15f387c|C:\Program Files\Mozilla Firefox\xul.dll+194a98c|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371836Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.895{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371835Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.895{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371834Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.895{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371833Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.895{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371832Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.895{27B459FE-5C01-619F-A300-000000000F02}13444544C:\Windows\system32\csrss.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371831Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.895{27B459FE-613B-619F-9B01-000000000F02}45564348C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3fd|C:\Program Files\Mozilla Firefox\firefox.exe+2e605|C:\Program Files\Mozilla Firefox\xul.dll+1f54d4a|C:\Program Files\Mozilla Firefox\xul.dll+9404aa|C:\Program Files\Mozilla Firefox\xul.dll+93e6b5|C:\Program Files\Mozilla Firefox\xul.dll+944f1e|C:\Program Files\Mozilla Firefox\xul.dll+7dd2b1|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+2604a|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371830Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.906{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe94.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.1.231140339\1296465087" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 530 -prefMapSize 246000 -jsInit 1076 278680 -parentBuildID 20211119140621 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 2092 1d5eaf31d38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2LowMD5=B7A783B6E7C1E3D42CBD21294B1F53D0,SHA256=FA022774AD52430FBC203B38B9A395BA0CEF61A121A330F917754DBA316D4C93,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000371829Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:09.895{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.1.23114033C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371828Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.879{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+e4515e|C:\Program Files\Mozilla Firefox\xul.dll+b26e42|C:\Program Files\Mozilla Firefox\xul.dll+284695|C:\Program Files\Mozilla Firefox\xul.dll+28446a|C:\Program Files\Mozilla Firefox\xul.dll+e5e595|C:\Program Files\Mozilla Firefox\xul.dll+183e71a|C:\Program Files\Mozilla Firefox\xul.dll+1a52588|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a54a1f|C:\Program Files\Mozilla Firefox\xul.dll+16fe2b9|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406 10341000x8000000000000000371827Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.879{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+e45137|C:\Program Files\Mozilla Firefox\xul.dll+b26e42|C:\Program Files\Mozilla Firefox\xul.dll+284695|C:\Program Files\Mozilla Firefox\xul.dll+28446a|C:\Program Files\Mozilla Firefox\xul.dll+e5e595|C:\Program Files\Mozilla Firefox\xul.dll+183e71a|C:\Program Files\Mozilla Firefox\xul.dll+1a52588|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a54a1f|C:\Program Files\Mozilla Firefox\xul.dll+16fe2b9|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406 10341000x8000000000000000371826Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.879{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+e4510c|C:\Program Files\Mozilla Firefox\xul.dll+b26e42|C:\Program Files\Mozilla Firefox\xul.dll+284695|C:\Program Files\Mozilla Firefox\xul.dll+28446a|C:\Program Files\Mozilla Firefox\xul.dll+e5e595|C:\Program Files\Mozilla Firefox\xul.dll+183e71a|C:\Program Files\Mozilla Firefox\xul.dll+1a52588|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a54a1f|C:\Program Files\Mozilla Firefox\xul.dll+16fe2b9|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406 10341000x8000000000000000371825Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.864{27B459FE-613D-619F-9F01-000000000F02}58163516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371824Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.661{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371823Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.661{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371822Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.583{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-613D-619F-9F01-000000000F02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371821Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.583{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371820Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.583{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371819Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.583{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371818Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.583{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371817Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.583{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-613D-619F-9F01-000000000F02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371816Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.583{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-613D-619F-9F01-000000000F02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371815Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.584{27B459FE-613D-619F-9F01-000000000F02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000371814Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.536{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBD907348399943054CFDCED486E96EB,SHA256=0D9F9A9AD5CD59AED0FABB2BA680B08D27DF9F228178D3F71B86D340F6A27D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371813Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.520{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\10009MD5=4FE1AE4CE561292B497F40B44CA6A82D,SHA256=1143BC44393074FE868459D409FD09A72C3102F132F8E43D114E578EA6DE8CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371812Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.520{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371811Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.489{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371810Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.489{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371809Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.473{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371808Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.473{27B459FE-5AC5-619F-1600-000000000F02}12881736C:\Windows\System32\svchost.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371807Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.473{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371806Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:09.458{27B459FE-613D-619F-9E01-000000000F02}136\chrome.4556.0.101455251C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371805Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.458{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371804Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.458{27B459FE-613B-619F-9B01-000000000F02}45564376C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12dedb|C:\Program Files\Mozilla Firefox\xul.dll+11937fd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371803Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:09.458{27B459FE-613D-619F-9E01-000000000F02}136\gecko-crash-server-pipe.4556C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371802Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.458{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371801Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.442{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+94415f|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+15f387c|C:\Program Files\Mozilla Firefox\xul.dll+194a98c|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371800Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371799Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371798Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371797Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371796Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.442{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371795Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.442{27B459FE-613B-619F-9B01-000000000F02}45564348C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+16ea9c4|C:\Program Files\Mozilla Firefox\xul.dll+940329|C:\Program Files\Mozilla Firefox\xul.dll+93e6b5|C:\Program Files\Mozilla Firefox\xul.dll+944f1e|C:\Program Files\Mozilla Firefox\xul.dll+7dd2b1|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+2604a|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371794Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.443{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe94.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.0.1014552517\334293200" -parentBuildID 20211119140621 -prefsHandle 1292 -prefMapHandle 1284 -prefsLen 1 -prefMapSize 246000 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 1384 1d5e4e62538 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2MediumMD5=B7A783B6E7C1E3D42CBD21294B1F53D0,SHA256=FA022774AD52430FBC203B38B9A395BA0CEF61A121A330F917754DBA316D4C93,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000371793Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:09.442{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.0.101455251C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000371792Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:09.426{27B459FE-613B-619F-9B01-000000000F02}4556\gecko-crash-server-pipe.4556C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000371791Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.286{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371790Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.270{27B459FE-613D-619F-9D01-000000000F02}15243268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371789Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.067{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EBB1C4EB556A19E788391BBE08C40F,SHA256=52AB224C7E4A6EEB9E62C4BCC8057EA883E086584C8E7FFFD6750968595B2B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371788Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.020{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-613D-619F-9D01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371787Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.020{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371786Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.020{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371785Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.020{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371784Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.020{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371783Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.020{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-613D-619F-9D01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371782Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.020{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-613D-619F-9D01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371781Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.021{27B459FE-613D-619F-9D01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324887Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:10.800{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F79821F6F9EB301F6A8936EF7C9FE8E,SHA256=EFCDD48214C7A63B2206E80D7F86DBF95A5BB05411344118A7F5C84FAD84CA20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.978{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+26a33f8|C:\Program Files\Mozilla Firefox\xul.dll+269473c|C:\Program Files\Mozilla Firefox\xul.dll+b55447|C:\Program Files\Mozilla Firefox\xul.dll+268b6ed|C:\Program Files\Mozilla Firefox\xul.dll+b5c766|C:\Program Files\Mozilla Firefox\xul.dll+b5590b|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+268c95e|C:\Program Files\Mozilla Firefox\xul.dll+268c6f4|C:\Program Files\Mozilla Firefox\xul.dll+b5d9c2|C:\Program Files\Mozilla Firefox\xul.dll+b57759 10341000x8000000000000000372057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.946{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.914{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+26a33f8|C:\Program Files\Mozilla Firefox\xul.dll+269473c|C:\Program Files\Mozilla Firefox\xul.dll+b55447|C:\Program Files\Mozilla Firefox\xul.dll+268b6ed|C:\Program Files\Mozilla Firefox\xul.dll+b5c766|C:\Program Files\Mozilla Firefox\xul.dll+b5590b|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+268c95e|C:\Program Files\Mozilla Firefox\xul.dll+268c6f4|C:\Program Files\Mozilla Firefox\xul.dll+b5d9c2|C:\Program Files\Mozilla Firefox\xul.dll+b57759 10341000x8000000000000000372055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.914{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+26a33f8|C:\Program Files\Mozilla Firefox\xul.dll+269473c|C:\Program Files\Mozilla Firefox\xul.dll+b55447|C:\Program Files\Mozilla Firefox\xul.dll+268b6ed|C:\Program Files\Mozilla Firefox\xul.dll+b5c766|C:\Program Files\Mozilla Firefox\xul.dll+b5590b|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+268c95e|C:\Program Files\Mozilla Firefox\xul.dll+268c6f4|C:\Program Files\Mozilla Firefox\xul.dll+b5d9c2|C:\Program Files\Mozilla Firefox\xul.dll+b57759 10341000x8000000000000000372054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.914{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+26a33f8|C:\Program Files\Mozilla Firefox\xul.dll+269473c|C:\Program Files\Mozilla Firefox\xul.dll+b55447|C:\Program Files\Mozilla Firefox\xul.dll+268b6ed|C:\Program Files\Mozilla Firefox\xul.dll+b5c766|C:\Program Files\Mozilla Firefox\xul.dll+b5590b|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+268c95e|C:\Program Files\Mozilla Firefox\xul.dll+268c6f4|C:\Program Files\Mozilla Firefox\xul.dll+b5d9c2|C:\Program Files\Mozilla Firefox\xul.dll+b57759 10341000x8000000000000000372053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.890{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+b5bb80|C:\Program Files\Mozilla Firefox\xul.dll+b5b4fd|C:\Program Files\Mozilla Firefox\xul.dll+b545b4|C:\Program Files\Mozilla Firefox\xul.dll+b599b8|C:\Program Files\Mozilla Firefox\xul.dll+b5a14b|C:\Program Files\Mozilla Firefox\xul.dll+38aca1|C:\Program Files\Mozilla Firefox\xul.dll+b5af29|C:\Program Files\Mozilla Firefox\xul.dll+b5dee2|C:\Program Files\Mozilla Firefox\xul.dll+b5a946|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b39e0f|C:\Program Files\Mozilla Firefox\xul.dll+b39016 10341000x8000000000000000372052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.890{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000372051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.890{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 23542300x8000000000000000372050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.850{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B33ADD880D7FB5ACB0DCA14620C1B65,SHA256=7CA7225398525DB3A8E5A74297E664A4EB525BF7E9BF3D19244A3CDA7BD38575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.836{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000372037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000372036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000372035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000372034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+b5b60b|C:\Program Files\Mozilla Firefox\xul.dll+b543e2|C:\Program Files\Mozilla Firefox\xul.dll+b599b8|C:\Program Files\Mozilla Firefox\xul.dll+b5a14b|C:\Program Files\Mozilla Firefox\xul.dll+38aca1|C:\Program Files\Mozilla Firefox\xul.dll+b5af29|C:\Program Files\Mozilla Firefox\xul.dll+b5dee2|C:\Program Files\Mozilla Firefox\xul.dll+b5a946|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+b5d958|C:\Program Files\Mozilla Firefox\xul.dll+b5dcbd 10341000x8000000000000000372033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+26a33f8|C:\Program Files\Mozilla Firefox\xul.dll+269473c|C:\Program Files\Mozilla Firefox\xul.dll+b55447|C:\Program Files\Mozilla Firefox\xul.dll+268b6ed|C:\Program Files\Mozilla Firefox\xul.dll+b5c766|C:\Program Files\Mozilla Firefox\xul.dll+b5590b|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+268c95e|C:\Program Files\Mozilla Firefox\xul.dll+268c6f4|C:\Program Files\Mozilla Firefox\xul.dll+b5d9c2|C:\Program Files\Mozilla Firefox\xul.dll+b57759 10341000x8000000000000000372032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+b5bb80|C:\Program Files\Mozilla Firefox\xul.dll+26a07db|C:\Program Files\Mozilla Firefox\xul.dll+26938c6|C:\Program Files\Mozilla Firefox\xul.dll+b550c0|C:\Program Files\Mozilla Firefox\xul.dll+268b6ed|C:\Program Files\Mozilla Firefox\xul.dll+b5c766|C:\Program Files\Mozilla Firefox\xul.dll+b5590b|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+268c95e|C:\Program Files\Mozilla Firefox\xul.dll+268c6f4|C:\Program Files\Mozilla Firefox\xul.dll+b5d9c2 10341000x8000000000000000372031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+b5b60b|C:\Program Files\Mozilla Firefox\xul.dll+b543e2|C:\Program Files\Mozilla Firefox\xul.dll+b599b8|C:\Program Files\Mozilla Firefox\xul.dll+b5a14b|C:\Program Files\Mozilla Firefox\xul.dll+38aca1|C:\Program Files\Mozilla Firefox\xul.dll+b5af29|C:\Program Files\Mozilla Firefox\xul.dll+b5dee2|C:\Program Files\Mozilla Firefox\xul.dll+b5a946|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+b5d958|C:\Program Files\Mozilla Firefox\xul.dll+b5dcbd 10341000x8000000000000000372030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+26a33f8|C:\Program Files\Mozilla Firefox\xul.dll+269473c|C:\Program Files\Mozilla Firefox\xul.dll+b55447|C:\Program Files\Mozilla Firefox\xul.dll+268b6ed|C:\Program Files\Mozilla Firefox\xul.dll+b5c766|C:\Program Files\Mozilla Firefox\xul.dll+b5590b|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b574f8|C:\Program Files\Mozilla Firefox\xul.dll+268c95e|C:\Program Files\Mozilla Firefox\xul.dll+268c6f4|C:\Program Files\Mozilla Firefox\xul.dll+b5d9c2|C:\Program Files\Mozilla Firefox\xul.dll+b57759 10341000x8000000000000000372029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfea3|C:\Program Files\Mozilla Firefox\xul.dll+af8a4f|C:\Program Files\Mozilla Firefox\xul.dll+af86df|C:\Program Files\Mozilla Firefox\xul.dll+af8e3e|C:\Program Files\Mozilla Firefox\xul.dll+ef4b2a|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5|C:\Program Files\Mozilla Firefox\xul.dll+e89084|C:\Program Files\Mozilla Firefox\xul.dll+e88b29 10341000x8000000000000000372028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfea3|C:\Program Files\Mozilla Firefox\xul.dll+af8a4f|C:\Program Files\Mozilla Firefox\xul.dll+af86df|C:\Program Files\Mozilla Firefox\xul.dll+af8e3e|C:\Program Files\Mozilla Firefox\xul.dll+ef4b2a|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5|C:\Program Files\Mozilla Firefox\xul.dll+e89084|C:\Program Files\Mozilla Firefox\xul.dll+e88b29 10341000x8000000000000000372027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfea3|C:\Program Files\Mozilla Firefox\xul.dll+af8a4f|C:\Program Files\Mozilla Firefox\xul.dll+af86df|C:\Program Files\Mozilla Firefox\xul.dll+af8e3e|C:\Program Files\Mozilla Firefox\xul.dll+ef4b2a|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5|C:\Program Files\Mozilla Firefox\xul.dll+e89084|C:\Program Files\Mozilla Firefox\xul.dll+e88b29 10341000x8000000000000000372026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfea3|C:\Program Files\Mozilla Firefox\xul.dll+af8a4f|C:\Program Files\Mozilla Firefox\xul.dll+af86df|C:\Program Files\Mozilla Firefox\xul.dll+af8e3e|C:\Program Files\Mozilla Firefox\xul.dll+ef4b2a|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5|C:\Program Files\Mozilla Firefox\xul.dll+e89084|C:\Program Files\Mozilla Firefox\xul.dll+e88b29 10341000x8000000000000000372025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfea3|C:\Program Files\Mozilla Firefox\xul.dll+af8a4f|C:\Program Files\Mozilla Firefox\xul.dll+af86df|C:\Program Files\Mozilla Firefox\xul.dll+af8e3e|C:\Program Files\Mozilla Firefox\xul.dll+ef4b2a|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5|C:\Program Files\Mozilla Firefox\xul.dll+e89084|C:\Program Files\Mozilla Firefox\xul.dll+e88b29 10341000x8000000000000000372024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfea3|C:\Program Files\Mozilla Firefox\xul.dll+af8a4f|C:\Program Files\Mozilla Firefox\xul.dll+af86df|C:\Program Files\Mozilla Firefox\xul.dll+af8e3e|C:\Program Files\Mozilla Firefox\xul.dll+ef4b2a|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5|C:\Program Files\Mozilla Firefox\xul.dll+e89084|C:\Program Files\Mozilla Firefox\xul.dll+e88b29 23542300x8000000000000000372023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.785{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.754{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.754{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.754{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.754{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.754{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.749{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.732{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.732{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.732{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.732{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.670{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000372011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.670{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000372010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.670{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 23542300x8000000000000000372009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.617{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E24E600E0CD5A0F6506BD1F66D309E,SHA256=330B1042DEE39931F6F18503E264ED2CE700DE472DA683F2DA32B8FA1C72CF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.617{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.617{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.601{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27DAF903AB7FE60D5C1AD071C59BEC0A,SHA256=D8BF8AEB3B8D81BAAD75FDF20382243BE06F6C402F862D61252A0A3F518C3FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\106MD5=8D7A252BBEAAFA055C83E0BAAEFA2914,SHA256=0622FD6EF63C04E313B76911AB69EDA67F1367DA586E04FBF07768413718A443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\2906MD5=9899F94B4F46FEB4F0518B6B86173877,SHA256=50ABA69DEC224AD652F8BE2424DDC39E44910A60CBD5D2B8813F2BF597B26F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\30995MD5=6641591DCA3965E161B2ABDA0F50CA75,SHA256=F6A6CC162D587AEBE44DB84C8116FED585C2C48C079448B07B6680689EFA3762,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.585{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.570{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.554{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.554{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+9c6f39|C:\Program Files\Mozilla Firefox\xul.dll+916972|C:\Program Files\Mozilla Firefox\xul.dll+7dc36a|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.517{27B459FE-613B-619F-9B01-000000000F02}45563944C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+947021|C:\Program Files\Mozilla Firefox\xul.dll+9aeb6e|C:\Program Files\Mozilla Firefox\xul.dll+c90b1|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+16cfab5|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+25f82|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.517{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage.sqlite-journalMD5=C547326AA1611F17FCBAA2114A062826,SHA256=54264F010D78F57E667F5AF058E5A1DA2186C0D7D5E324F7612AE7ABF22B3416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.486{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65DAA044286047A0318C357AABC92FB,SHA256=102E02BEA9044BAB7D3D79E5165ACCA0A3EB4399A4986ABA6E17080ADDCDB2C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.470{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.470{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.470{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.470{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.450{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+99bec9|C:\Program Files\Mozilla Firefox\xul.dll+dba2d8|C:\Program Files\Mozilla Firefox\xul.dll+195fd23|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+192f540|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000371971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.450{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000371970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:10.450{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.432{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+ef4aa0|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.432{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.432{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.432{27B459FE-613D-619F-9E01-000000000F02}136\chrome.4556.6.207163576C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.432{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+1b23dc|C:\Program Files\Mozilla Firefox\xul.dll+9511c6|C:\Program Files\Mozilla Firefox\xul.dll+94baaf|C:\Program Files\Mozilla Firefox\xul.dll+194c219|C:\Program Files\Mozilla Firefox\xul.dll+194a907|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000371964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:10.432{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.6.207163576C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000371963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.417{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.5.108760420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.417{27B459FE-613B-619F-9B01-000000000F02}45564376C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12dedb|C:\Program Files\Mozilla Firefox\xul.dll+11937fd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.417{27B459FE-613B-619F-9B01-000000000F02}4556\gecko-crash-server-pipe.4556C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+dc758e|C:\Program Files\Mozilla Firefox\xul.dll+dc1549|C:\Program Files\Mozilla Firefox\xul.dll+db3010|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1afdf39|C:\Program Files\Mozilla Firefox\xul.dll+1cce3b8 10341000x8000000000000000371959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+98db34|C:\Program Files\Mozilla Firefox\xul.dll+a139ee|C:\Program Files\Mozilla Firefox\xul.dll+db2fc0|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371 10341000x8000000000000000371958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e 10341000x8000000000000000371957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+db2cba|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1afdf39 10341000x8000000000000000371956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+db2caf|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371 10341000x8000000000000000371955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+db2caf|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371 10341000x8000000000000000371954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+db2caf|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371 10341000x8000000000000000371953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+db2c31|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1afdf39|C:\Program Files\Mozilla Firefox\xul.dll+1cce3b8|UNKNOWN(000002D5C4203EBF) 10341000x8000000000000000371952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+bc375|C:\Program Files\Mozilla Firefox\xul.dll+db2908|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+268666|C:\Program Files\Mozilla Firefox\xul.dll+236625|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+17d1479|C:\Program Files\Mozilla Firefox\xul.dll+19e0b6e|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1afdf39|C:\Program Files\Mozilla Firefox\xul.dll+1cce3b8 10341000x8000000000000000371951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+94415f|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+15f387c|C:\Program Files\Mozilla Firefox\xul.dll+194a98c|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.386{27B459FE-613B-619F-9B01-000000000F02}45564348C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3fd|C:\Program Files\Mozilla Firefox\firefox.exe+2e605|C:\Program Files\Mozilla Firefox\xul.dll+1f54d4a|C:\Program Files\Mozilla Firefox\xul.dll+9404aa|C:\Program Files\Mozilla Firefox\xul.dll+93e6b5|C:\Program Files\Mozilla Firefox\xul.dll+944f1e|C:\Program Files\Mozilla Firefox\xul.dll+7dd2b1|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+2604a|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.392{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe94.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.5.1087604205\814003913" -childID 3 -isForBrowser -prefsHandle 3432 -prefMapHandle 3328 -prefsLen 6006 -prefMapSize 246000 -jsInit 1076 278680 -parentBuildID 20211119140621 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 3464 1d5edf98338 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2LowMD5=B7A783B6E7C1E3D42CBD21294B1F53D0,SHA256=FA022774AD52430FBC203B38B9A395BA0CEF61A121A330F917754DBA316D4C93,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000371943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:10.370{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.5.108760420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.354{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f5b4e7|C:\Program Files\Mozilla Firefox\xul.dll+f4ca16|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680 10341000x8000000000000000371941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.354{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+ef4aa0|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 23542300x8000000000000000371940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.349{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A107BF8FAD2EDCF5B2315FAEED54EDB1,SHA256=DF9B98CF2E38C5C968C79C709A95D4BB9B13BAF5208E5DDB9BD0E74860484ABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.317{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1933d51|C:\Program Files\Mozilla Firefox\xul.dll+37091bd|C:\Program Files\Mozilla Firefox\xul.dll+e60329|C:\Program Files\Mozilla Firefox\xul.dll+e5f8b4|C:\Program Files\Mozilla Firefox\xul.dll+e5ab44|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11b2c|C:\Program Files\Mozilla Firefox\xul.dll+17a8040|C:\Program Files\Mozilla Firefox\xul.dll+1601297|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1 10341000x8000000000000000371938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.317{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1933d51|C:\Program Files\Mozilla Firefox\xul.dll+37091bd|C:\Program Files\Mozilla Firefox\xul.dll+e60329|C:\Program Files\Mozilla Firefox\xul.dll+e5f8b4|C:\Program Files\Mozilla Firefox\xul.dll+e5ab44|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11b2c|C:\Program Files\Mozilla Firefox\xul.dll+17a8040|C:\Program Files\Mozilla Firefox\xul.dll+1601297|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1 23542300x8000000000000000371937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.317{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.301{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f5b4e7|C:\Program Files\Mozilla Firefox\xul.dll+f4ca16|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+f50a4e|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+f50308|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+f50a4e|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6 10341000x8000000000000000371935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.301{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 10341000x8000000000000000371934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.301{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 10341000x8000000000000000371933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.286{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 10341000x8000000000000000371932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.286{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+ef4aa0|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.233{27B459FE-613B-619F-9B01-000000000F02}45563944C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+947021|C:\Program Files\Mozilla Firefox\xul.dll+9aeb6e|C:\Program Files\Mozilla Firefox\xul.dll+c90b1|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+16cfab5|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+25f82|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+e242fb|C:\Program Files\Mozilla Firefox\xul.dll+e24229|C:\Program Files\Mozilla Firefox\xul.dll+3709ba3 10341000x8000000000000000371927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+b5bb80|C:\Program Files\Mozilla Firefox\xul.dll+b5b4fd|C:\Program Files\Mozilla Firefox\xul.dll+b545b4|C:\Program Files\Mozilla Firefox\xul.dll+b599b8|C:\Program Files\Mozilla Firefox\xul.dll+b5a14b|C:\Program Files\Mozilla Firefox\xul.dll+38aca1|C:\Program Files\Mozilla Firefox\xul.dll+b5af29|C:\Program Files\Mozilla Firefox\xul.dll+b5dee2|C:\Program Files\Mozilla Firefox\xul.dll+b5a946|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b39e0f|C:\Program Files\Mozilla Firefox\xul.dll+1eae30a 23542300x8000000000000000371926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84311F6FCB654BD04A5F6D2440F3ECDD,SHA256=B8DDDA977C1C1154A5BE2AD5C5774F680018418900099CB09C3161BDF499DDC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+e4515e|C:\Program Files\Mozilla Firefox\xul.dll+b26e42|C:\Program Files\Mozilla Firefox\xul.dll+284695|C:\Program Files\Mozilla Firefox\xul.dll+28446a|C:\Program Files\Mozilla Firefox\xul.dll+e5e595|C:\Program Files\Mozilla Firefox\xul.dll+183e71a|C:\Program Files\Mozilla Firefox\xul.dll+1a52588|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a54a1f|C:\Program Files\Mozilla Firefox\xul.dll+16fe2b9|C:\Program Files\Mozilla Firefox\xul.dll+e923f5|C:\Program Files\Mozilla Firefox\xul.dll+1a5122e|C:\Program Files\Mozilla Firefox\xul.dll+16febfd|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+101c8c|C:\Program Files\Mozilla Firefox\xul.dll+1207ff|C:\Program Files\Mozilla Firefox\xul.dll+110459e|C:\Program Files\Mozilla Firefox\xul.dll+8377a8|C:\Program Files\Mozilla Firefox\xul.dll+837ed6|C:\Program Files\Mozilla Firefox\xul.dll+22b810 10341000x8000000000000000371922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+e45137|C:\Program Files\Mozilla Firefox\xul.dll+b26e42|C:\Program Files\Mozilla Firefox\xul.dll+284695|C:\Program Files\Mozilla Firefox\xul.dll+28446a|C:\Program Files\Mozilla Firefox\xul.dll+e5e595|C:\Program Files\Mozilla Firefox\xul.dll+183e71a|C:\Program Files\Mozilla Firefox\xul.dll+1a52588|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a54a1f|C:\Program Files\Mozilla Firefox\xul.dll+16fe2b9|C:\Program Files\Mozilla Firefox\xul.dll+e923f5|C:\Program Files\Mozilla Firefox\xul.dll+1a5122e|C:\Program Files\Mozilla Firefox\xul.dll+16febfd|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+101c8c|C:\Program Files\Mozilla Firefox\xul.dll+1207ff|C:\Program Files\Mozilla Firefox\xul.dll+110459e|C:\Program Files\Mozilla Firefox\xul.dll+8377a8|C:\Program Files\Mozilla Firefox\xul.dll+837ed6|C:\Program Files\Mozilla Firefox\xul.dll+22b810 10341000x8000000000000000371921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.201{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+e4510c|C:\Program Files\Mozilla Firefox\xul.dll+b26e42|C:\Program Files\Mozilla Firefox\xul.dll+284695|C:\Program Files\Mozilla Firefox\xul.dll+28446a|C:\Program Files\Mozilla Firefox\xul.dll+e5e595|C:\Program Files\Mozilla Firefox\xul.dll+183e71a|C:\Program Files\Mozilla Firefox\xul.dll+1a52588|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a527cf|C:\Program Files\Mozilla Firefox\xul.dll+1a54a1f|C:\Program Files\Mozilla Firefox\xul.dll+16fe2b9|C:\Program Files\Mozilla Firefox\xul.dll+e923f5|C:\Program Files\Mozilla Firefox\xul.dll+1a5122e|C:\Program Files\Mozilla Firefox\xul.dll+16febfd|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+101c8c|C:\Program Files\Mozilla Firefox\xul.dll+1207ff|C:\Program Files\Mozilla Firefox\xul.dll+110459e|C:\Program Files\Mozilla Firefox\xul.dll+8377a8|C:\Program Files\Mozilla Firefox\xul.dll+837ed6|C:\Program Files\Mozilla Firefox\xul.dll+22b810 23542300x8000000000000000371920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.186{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.186{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+ae2688|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.186{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+99bec9|C:\Program Files\Mozilla Firefox\xul.dll+dba2d8|C:\Program Files\Mozilla Firefox\xul.dll+195fd23|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+192f540|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000371917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.186{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000371916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:10.186{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-1C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000371915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000371914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A64F42BCF631E3C50F5309186326C40,SHA256=95047F3AC1FA14CE20C6079A946E9533FFB16177755045BDF2918465E0CF7874,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.170{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+f50308|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a 10341000x8000000000000000371906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+f50308|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a 10341000x8000000000000000371905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+f50308|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a 10341000x8000000000000000371904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 10341000x8000000000000000371901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 18141800x8000000000000000371900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.155{27B459FE-613D-619F-9E01-000000000F02}136\chrome.4556.4.204757234C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+1b23dc|C:\Program Files\Mozilla Firefox\xul.dll+9511c6|C:\Program Files\Mozilla Firefox\xul.dll+94baaf|C:\Program Files\Mozilla Firefox\xul.dll+194c219|C:\Program Files\Mozilla Firefox\xul.dll+194a907|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000371898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.4.204757234C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000371897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.3.199165039C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45564376C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12dedb|C:\Program Files\Mozilla Firefox\xul.dll+11937fd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000371895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}4556\gecko-crash-server-pipe.4556C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+170f3be|C:\Program Files\Mozilla Firefox\xul.dll+16c0285|UNKNOWN(000002D5C4201E84) 10341000x8000000000000000371893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+170f3be|C:\Program Files\Mozilla Firefox\xul.dll+16c0285|UNKNOWN(000002D5C4201E84) 10341000x8000000000000000371892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+170f3be|C:\Program Files\Mozilla Firefox\xul.dll+16c0285|UNKNOWN(000002D5C4201E84) 10341000x8000000000000000371891Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+170f3be|C:\Program Files\Mozilla Firefox\xul.dll+16c0285|UNKNOWN(000002D5C4201E84) 10341000x8000000000000000371890Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+1afe363|C:\Program Files\Mozilla Firefox\xul.dll+1cce3b8|UNKNOWN(000002D5C4203EBF) 10341000x8000000000000000371889Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+1afe363|C:\Program Files\Mozilla Firefox\xul.dll+1cce3b8|UNKNOWN(000002D5C4203EBF) 10341000x8000000000000000371888Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+41e0e3f|C:\Program Files\Mozilla Firefox\xul.dll+70e54|C:\Program Files\Mozilla Firefox\xul.dll+87632|C:\Program Files\Mozilla Firefox\xul.dll+87535|C:\Program Files\Mozilla Firefox\xul.dll+a1143c|C:\Program Files\Mozilla Firefox\xul.dll+844eb|C:\Program Files\Mozilla Firefox\xul.dll+b86d0f|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+1b4c1d9|C:\Program Files\Mozilla Firefox\xul.dll+1af687f|C:\Program Files\Mozilla Firefox\xul.dll+170f3be|C:\Program Files\Mozilla Firefox\xul.dll+168a2c1|C:\Program Files\Mozilla Firefox\xul.dll+197755a 10341000x8000000000000000371887Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.155{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+bf9e74|C:\Program Files\Mozilla Firefox\xul.dll+168c371|C:\Program Files\Mozilla Firefox\xul.dll+1658d2a|C:\Program Files\Mozilla Firefox\xul.dll+1af4fbd|C:\Program Files\Mozilla Firefox\xul.dll+41e0e3f|C:\Program Files\Mozilla Firefox\xul.dll+70e54|C:\Program Files\Mozilla Firefox\xul.dll+87632|C:\Program Files\Mozilla Firefox\xul.dll+87535|C:\Program Files\Mozilla Firefox\xul.dll+a1143c|C:\Program Files\Mozilla Firefox\xul.dll+844eb|C:\Program Files\Mozilla Firefox\xul.dll+b86d0f|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+1b4c1d9|C:\Program Files\Mozilla Firefox\xul.dll+1af687f|C:\Program Files\Mozilla Firefox\xul.dll+170f3be|C:\Program Files\Mozilla Firefox\xul.dll+168a2c1|C:\Program Files\Mozilla Firefox\xul.dll+197755a 10341000x8000000000000000371886Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.138{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+dc758e|C:\Program Files\Mozilla Firefox\xul.dll+dc1549|C:\Program Files\Mozilla Firefox\xul.dll+db3010|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde|C:\Program Files\Mozilla Firefox\xul.dll+168653b 10341000x8000000000000000371885Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.137{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+98db34|C:\Program Files\Mozilla Firefox\xul.dll+a139ee|C:\Program Files\Mozilla Firefox\xul.dll+db2fc0|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54 10341000x8000000000000000371884Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.137{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d 10341000x8000000000000000371883Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.137{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+db2cba|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde 10341000x8000000000000000371882Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.137{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+db2caf|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54 10341000x8000000000000000371881Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.137{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+db2caf|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54 10341000x8000000000000000371880Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.136{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+db2c31|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde|C:\Program Files\Mozilla Firefox\xul.dll+168653b|C:\Program Files\Mozilla Firefox\xul.dll+165af54 10341000x8000000000000000371879Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.135{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+bc375|C:\Program Files\Mozilla Firefox\xul.dll+db2908|C:\Program Files\Mozilla Firefox\xul.dll+db224c|C:\Program Files\Mozilla Firefox\xul.dll+db475d|C:\Program Files\Mozilla Firefox\xul.dll+bbdee0|C:\Program Files\Mozilla Firefox\xul.dll+bbb315|C:\Program Files\Mozilla Firefox\xul.dll+28d5ed|C:\Program Files\Mozilla Firefox\xul.dll+28d181|C:\Program Files\Mozilla Firefox\xul.dll+f0132f|C:\Program Files\Mozilla Firefox\xul.dll+16ff35c|C:\Program Files\Mozilla Firefox\xul.dll+16fd835|C:\Program Files\Mozilla Firefox\xul.dll+bbd6f6|C:\Program Files\Mozilla Firefox\xul.dll+26fdd1|C:\Program Files\Mozilla Firefox\xul.dll+37166e|C:\Program Files\Mozilla Firefox\xul.dll+c58406|C:\Program Files\Mozilla Firefox\xul.dll+16f11ab|C:\Program Files\Mozilla Firefox\xul.dll+168609d|C:\Program Files\Mozilla Firefox\xul.dll+165af54|C:\Program Files\Mozilla Firefox\xul.dll+1aeabde|C:\Program Files\Mozilla Firefox\xul.dll+168653b 10341000x8000000000000000371878Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.135{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+94415f|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+15f387c|C:\Program Files\Mozilla Firefox\xul.dll+194a98c|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371877Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.129{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371876Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.114{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371875Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.114{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371874Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.114{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371873Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.114{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371872Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.114{27B459FE-613B-619F-9B01-000000000F02}45564348C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3fd|C:\Program Files\Mozilla Firefox\firefox.exe+2e605|C:\Program Files\Mozilla Firefox\xul.dll+1f54d4a|C:\Program Files\Mozilla Firefox\xul.dll+9404aa|C:\Program Files\Mozilla Firefox\xul.dll+93e6b5|C:\Program Files\Mozilla Firefox\xul.dll+944f1e|C:\Program Files\Mozilla Firefox\xul.dll+7dd2b1|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+2604a|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000371871Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.128{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe94.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.3.1991650394\510734285" -childID 2 -isForBrowser -prefsHandle 2820 -prefMapHandle 2816 -prefsLen 641 -prefMapSize 246000 -jsInit 1076 278680 -parentBuildID 20211119140621 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 2832 1d5eb0d1938 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2LowMD5=B7A783B6E7C1E3D42CBD21294B1F53D0,SHA256=FA022774AD52430FBC203B38B9A395BA0CEF61A121A330F917754DBA316D4C93,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000371870Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:10.114{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.3.199165039C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371869Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.098{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371868Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.083{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371867Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.083{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000371866Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.051{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000371865Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.051{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371864Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.036{27B459FE-613B-619F-9B01-000000000F02}45563944C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+947021|C:\Program Files\Mozilla Firefox\xul.dll+9aeb6e|C:\Program Files\Mozilla Firefox\xul.dll+c90b1|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+16cfab5|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+25f82|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371863Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.036{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+99bec9|C:\Program Files\Mozilla Firefox\xul.dll+dba2d8|C:\Program Files\Mozilla Firefox\xul.dll+195fd23|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+192f540|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000371862Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:10.036{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000371861Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:10.036{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000371860Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.020{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371859Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.020{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371858Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.004{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371857Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.004{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371856Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.004{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371855Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.004{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aed4a2|C:\Program Files\Mozilla Firefox\xul.dll+ae6560|C:\Program Files\Mozilla Firefox\xul.dll+ae73a6|C:\Program Files\Mozilla Firefox\xul.dll+b046c4|C:\Program Files\Mozilla Firefox\xul.dll+a9f099|C:\Program Files\Mozilla Firefox\xul.dll+aec7be|C:\Program Files\Mozilla Firefox\xul.dll+19a7ac6|C:\Program Files\Mozilla Firefox\xul.dll+18b7729|C:\Program Files\Mozilla Firefox\xul.dll+18b5a46|C:\Program Files\Mozilla Firefox\xul.dll+18b12b8|C:\Program Files\Mozilla Firefox\xul.dll+1ac6614|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+19a8d60|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d 10341000x8000000000000000371854Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.004{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 23542300x8000000000000000324888Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:11.879{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEB1168F59D39CD002D32EC53AA8003,SHA256=8D7CDBCD8B731B6DD7FC52FA0BE2CA7D43D35CA80CF2D749A2D0D7400338209F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.950{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.836{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58998-false52.42.216.19ec2-52-42-216-19.us-west-2.compute.amazonaws.com443https 354300x8000000000000000372250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.824{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-266.attackrange.local52050-false142.250.184.200fra24s11-in-f8.1e100.net443https 354300x8000000000000000372249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.790{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59000-false142.250.184.195fra24s11-in-f3.1e100.net80http 354300x8000000000000000372248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.751{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58999-false142.250.184.200fra24s11-in-f8.1e100.net443https 354300x8000000000000000372247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.671{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52049- 354300x8000000000000000372246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.670{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55009- 354300x8000000000000000372245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.667{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58873- 354300x8000000000000000372244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.650{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59058- 354300x8000000000000000372243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.643{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56528- 23542300x8000000000000000372242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.698{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\pending_pings\814fa354-f9ab-4bf9-8cb2-cbc4e03c1e85MD5=FDF4DC4DA0CEE8F30231FB3809553167,SHA256=9C5F179FF42FFC0FA2C1665BA3BEEEBAF65933E5A49C7B3B20856947824E3FD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.574{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58997-false142.250.184.195fra24s11-in-f3.1e100.net80http 354300x8000000000000000372240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.574{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56343- 354300x8000000000000000372239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.574{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local58883- 354300x8000000000000000372238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.571{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55862- 354300x8000000000000000372237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.512{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58996-false142.250.186.106fra24s06-in-f10.1e100.net443https 354300x8000000000000000372236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.511{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56007- 354300x8000000000000000372235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.510{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55230- 354300x8000000000000000372234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.468{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58995-false95.100.39.41a95-100-39-41.deploy.static.akamaitechnologies.com80http 354300x8000000000000000372233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.468{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53844- 354300x8000000000000000372232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.465{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59030- 354300x8000000000000000372231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.462{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local61494- 354300x8000000000000000372230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.398{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58994-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 354300x8000000000000000372229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.395{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58993-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000372228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.392{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52184- 10341000x8000000000000000372227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.586{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.565{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.564{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.564{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.564{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.563{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.563{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.542{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.542{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.493{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.493{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.490{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.490{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.489{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.489{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.489{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.488{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.487{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.487{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.486{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.485{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.484{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.483{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\pending_pings\74426a4f-8e7b-477c-b180-2b8e91cace7aMD5=5065ACE2E70B4015BEF6F2C16ED2C68D,SHA256=E1462FEFA533355E7CD3E21C71480B6B9837851443A48AE0C037FB8319101013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.440{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.355{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.360{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58992-false143.204.93.87server-143-204-93-87.fra50.r.cloudfront.net443https 354300x8000000000000000372201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.360{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57059- 354300x8000000000000000372200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.354{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57026- 354300x8000000000000000372199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.285{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58991-false143.204.98.36server-143-204-98-36.fra50.r.cloudfront.net443https 354300x8000000000000000372198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.284{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60891- 354300x8000000000000000372197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.284{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57543- 354300x8000000000000000372196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.258{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58990-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000372195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.247{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55822- 354300x8000000000000000372194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.245{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57852- 354300x8000000000000000372193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.221{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local58989-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000372192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.140{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local58988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000372191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.370{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-58987-false127.0.0.1-58986- 354300x8000000000000000372190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:08.370{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-58987-false127.0.0.1-58986- 23542300x8000000000000000372189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.297{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\pending_pings\27b47182-5756-40f9-b481-5abf7fe0d70eMD5=FAA7D97D39C7C2C055A88F5712433C0C,SHA256=A28CE1AB692E8C8E2AD079E3C76C9137D0F48165243DB2C75DCB48F1873FB7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.252{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\search.json.mozlz4MD5=A52BFA33969CB66228B092D500B22119,SHA256=893ECCBDB36D3F5C88D87AEBCDFF8EC498225996ADB00EFF1C0F3A4E5EB49EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.226{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A2BC28E5527693EAF46470DA366D09,SHA256=1B9FC0F5ADBF7D13F80DD3A97EDF09C3F23F5B8D7F94B4C370CA7A1AF1D942DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.214{27B459FE-613B-619F-9B01-000000000F02}45563944C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+947021|C:\Program Files\Mozilla Firefox\xul.dll+9aeb6e|C:\Program Files\Mozilla Firefox\xul.dll+c90b1|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+16cfab5|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+25f82|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.202{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.202{27B459FE-5AC4-619F-1100-000000000F02}4081624C:\Windows\system32\svchost.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.202{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CF26FFA81EFD678DB1D05CB851459F,SHA256=A9AFCAAD1508B7F2B50F74E987A360407B45EF16444EAA401334352AE5E11060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.190{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.190{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000372180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.035{27B459FE-613B-619F-9B01-000000000F02}4556prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.033{27B459FE-613B-619F-9B01-000000000F02}4556prod.ingestion-edge.prod.dataops.mozgcp.net035.227.207.240;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.967{27B459FE-613B-619F-9B01-000000000F02}4556cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.965{27B459FE-613B-619F-9B01-000000000F02}4556cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.902{27B459FE-613B-619F-9B01-000000000F02}4556www-google-analytics.l.google.com02a00:1450:4001:827::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.893{27B459FE-613B-619F-9B01-000000000F02}4556www-google-analytics.l.google.com0142.250.185.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.590{27B459FE-613B-619F-9B01-000000000F02}4556www-googletagmanager.l.google.com02a00:1450:4001:82b::2008;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.588{27B459FE-613B-619F-9B01-000000000F02}4556www-googletagmanager.l.google.com0142.250.184.200;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.411{27B459FE-613B-619F-9B01-000000000F02}4556a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a1a4;2a02:26f0:1700:f::1737:a194;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.406{27B459FE-613B-619F-9B01-000000000F02}4556a1887.dscq.akamai.net095.100.39.18;95.100.39.34;95.100.39.41;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.402{27B459FE-613B-619F-9B01-000000000F02}4556r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:95.100.39.41;::ffff:95.100.39.18;::ffff:95.100.39.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.300{27B459FE-613B-619F-9B01-000000000F02}4556www.mozorg.moz.works9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.298{27B459FE-613B-619F-9B01-000000000F02}4556www.mozorg.moz.works0143.204.93.87;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.233{27B459FE-613B-619F-9B01-000000000F02}4556d2nxq2uap88usk.cloudfront.net02600:9000:225e:2000:a:da5e:7900:93a1;2600:9000:225e:f000:a:da5e:7900:93a1;2600:9000:225e:e400:a:da5e:7900:93a1;2600:9000:225e:7e00:a:da5e:7900:93a1;2600:9000:225e:e000:a:da5e:7900:93a1;2600:9000:225e:e800:a:da5e:7900:93a1;2600:9000:225e:6a00:a:da5e:7900:93a1;2600:9000:225e:d000:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.222{27B459FE-613B-619F-9B01-000000000F02}4556d2nxq2uap88usk.cloudfront.net0143.204.98.30;143.204.98.118;143.204.98.120;143.204.98.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.185{27B459FE-613B-619F-9B01-000000000F02}4556example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.185{27B459FE-613B-619F-9B01-000000000F02}4556example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.160{27B459FE-613B-619F-9B01-000000000F02}4556prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.158{27B459FE-613B-619F-9B01-000000000F02}4556prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.151{27B459FE-613B-619F-9B01-000000000F02}4556detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000372160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.166{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+94e8b7|C:\Program Files\Mozilla Firefox\xul.dll+99bec9|C:\Program Files\Mozilla Firefox\xul.dll+dba2d8|C:\Program Files\Mozilla Firefox\xul.dll+195fd23|C:\Program Files\Mozilla Firefox\xul.dll+1953ef6|C:\Program Files\Mozilla Firefox\xul.dll+192f540|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000372159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:11.166{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000372158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:11.166{27B459FE-613B-619F-9B01-000000000F02}4556\cubeb-pipe-4556-3C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000372157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.166{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EA248B11B854C6EA468604683C9DD0,SHA256=1EF5AFC71A3E95ABB4822311092D09F205597FFBD3C1B29588ED89FC78A20BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.154{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.154{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000372154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:11.154{27B459FE-613D-619F-9E01-000000000F02}136\chrome.4556.8.64061312C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000372153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.154{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+1b23dc|C:\Program Files\Mozilla Firefox\xul.dll+9511c6|C:\Program Files\Mozilla Firefox\xul.dll+94baaf|C:\Program Files\Mozilla Firefox\xul.dll+194c219|C:\Program Files\Mozilla Firefox\xul.dll+194a907|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000372152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:11.154{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.8.64061312C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000372151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:11.154{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.7.178619784C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000372150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.154{27B459FE-613B-619F-9B01-000000000F02}45564376C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12dedb|C:\Program Files\Mozilla Firefox\xul.dll+11937fd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000372149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-ConnectPipe2021-11-25 10:11:11.154{27B459FE-613B-619F-9B01-000000000F02}4556\gecko-crash-server-pipe.4556C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000372148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+dc758e|C:\Program Files\Mozilla Firefox\xul.dll+dc1549|C:\Program Files\Mozilla Firefox\xul.dll+db3010|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98de38|C:\Program Files\Mozilla Firefox\xul.dll+98db34|C:\Program Files\Mozilla Firefox\xul.dll+a139ee|C:\Program Files\Mozilla Firefox\xul.dll+db2fc0|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018 10341000x8000000000000000372146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+81ae59|C:\Program Files\Mozilla Firefox\xul.dll+db2d1e|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4 10341000x8000000000000000372133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+db2cba|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.116{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+db2c31|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.114{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+bc375|C:\Program Files\Mozilla Firefox\xul.dll+db2908|C:\Program Files\Mozilla Firefox\xul.dll+3510d44|C:\Program Files\Mozilla Firefox\xul.dll+3510cb0|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+16016a9|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.114{27B459FE-613B-619F-9B01-000000000F02}45563392C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+94415f|C:\Program Files\Mozilla Firefox\xul.dll+7a2ca4|C:\Program Files\Mozilla Firefox\xul.dll+15f387c|C:\Program Files\Mozilla Firefox\xul.dll+194a98c|C:\Program Files\Mozilla Firefox\xul.dll+132f5|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+92d371|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.108{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.108{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.108{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.108{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.108{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.108{27B459FE-613B-619F-9B01-000000000F02}45564348C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3fd|C:\Program Files\Mozilla Firefox\firefox.exe+2e605|C:\Program Files\Mozilla Firefox\xul.dll+1f54d4a|C:\Program Files\Mozilla Firefox\xul.dll+9404aa|C:\Program Files\Mozilla Firefox\xul.dll+93e6b5|C:\Program Files\Mozilla Firefox\xul.dll+944f1e|C:\Program Files\Mozilla Firefox\xul.dll+7dd2b1|C:\Program Files\Mozilla Firefox\xul.dll+1601a09|C:\Program Files\Mozilla Firefox\xul.dll+2604a|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+7dfe67|C:\Program Files\Mozilla Firefox\nss3.dll+7617d|C:\Program Files\Mozilla Firefox\nss3.dll+8e1c1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.108{27B459FE-613F-619F-A301-000000000F02}5256C:\Program Files\Mozilla Firefox\firefox.exe94.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.7.1786197847\562736341" -childID 4 -isForBrowser -prefsHandle 4320 -prefMapHandle 4324 -prefsLen 6728 -prefMapSize 246000 -jsInit 1076 278680 -parentBuildID 20211119140621 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4156 1d5f2372d38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2LowMD5=B7A783B6E7C1E3D42CBD21294B1F53D0,SHA256=FA022774AD52430FBC203B38B9A395BA0CEF61A121A330F917754DBA316D4C93,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000372122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:11:11.096{27B459FE-613B-619F-9B01-000000000F02}4556\chrome.4556.7.178619784C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000372121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.090{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.090{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.090{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+98f096|C:\Program Files\Mozilla Firefox\xul.dll+dc96d8|C:\Program Files\Mozilla Firefox\xul.dll+21245b|C:\Program Files\Mozilla Firefox\xul.dll+7c6761|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.084{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.072{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.072{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.072{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000372100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.072{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=88E037B116CDF6B11C37FB04A0318113,SHA256=D88A2DD2516F7E3204E7BF2ECA9CECB50DF3C9CBD1BFE9B782671436EFC30A24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.072{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.072{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.072{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000372084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=88E037B116CDF6B11C37FB04A0318113,SHA256=D88A2DD2516F7E3204E7BF2ECA9CECB50DF3C9CBD1BFE9B782671436EFC30A24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A201-000000000F02}2868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613E-619F-A101-000000000F02}6124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000372081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-A001-000000000F02}5196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+93dd3f|C:\Program Files\Mozilla Firefox\xul.dll+99afcd|C:\Program Files\Mozilla Firefox\xul.dll+98effa|C:\Program Files\Mozilla Firefox\xul.dll+98ee54|C:\Program Files\Mozilla Firefox\xul.dll+199554|C:\Program Files\Mozilla Firefox\xul.dll+81bf95|C:\Program Files\Mozilla Firefox\xul.dll+81bb71|C:\Program Files\Mozilla Firefox\xul.dll+192fad2|C:\Program Files\Mozilla Firefox\xul.dll+1602b7b|C:\Program Files\Mozilla Firefox\xul.dll+1955163|C:\Program Files\Mozilla Firefox\xul.dll+92fc0f|C:\Program Files\Mozilla Firefox\xul.dll+25e4e|C:\Program Files\Mozilla Firefox\xul.dll+199898|C:\Program Files\Mozilla Firefox\xul.dll+19875f|C:\Program Files\Mozilla Firefox\xul.dll+41035f1|C:\Program Files\Mozilla Firefox\xul.dll+416edf5|C:\Program Files\Mozilla Firefox\xul.dll+416fbe0|C:\Program Files\Mozilla Firefox\xul.dll+1e9d2f3|C:\Program Files\Mozilla Firefox\firefox.exe+9ea4|C:\Program Files\Mozilla Firefox\firefox.exe+1c018|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000372080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.066{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=0D78B1E91387EBFD2465D333128D0CE8,SHA256=BC018579B8EBF6F2C2012E432236B947BF0FC4C881F869CC5C1E9CBD1C66520D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.060{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=2B4B33494C51835AA45D58A34A458A25,SHA256=A8A475292B9F843CA68EA89BA8B09160FD47D7CB75F1EF3FD0D1BE1EECE9E741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.054{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=2B4B33494C51835AA45D58A34A458A25,SHA256=A8A475292B9F843CA68EA89BA8B09160FD47D7CB75F1EF3FD0D1BE1EECE9E741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.054{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=8970D52CDD13525C5C0CBF3CDDD1F872,SHA256=EABCF6B2B16A678A4B54CCF89FDEE2037D5FF73160F39E42EB047A966899DE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.054{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=3CF3E03E4B513EF5FF1BA561F3E58321,SHA256=682F431479B582737669A10D1112AB4771E580C6C3FC8FE9DA8ED77570A862C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.053{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=5721A13173B95AF6B672A2BE8C60B2FC,SHA256=C5CA109ECC8420FD00123FAE842ED9EFE0167533B5732E36F7F91024F749EC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.052{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=143E84259827038FF307ABB3EAD8A6E2,SHA256=9AF94B334D6D929F06846B47E8CE7803F7C619E9871D56C69E72A999A45B3934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.050{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=3F27101F5FD5A714F5C8E7CDDC14737A,SHA256=5222FC8A907A3E8D253301019A6ACDA615D6483BD86C559678BAEE5380773DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.049{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=EAE00A7D6BC478F3611F2798BD58F9CA,SHA256=71321585C0E07BE6825246A51EA3E0B4E4E721BA6368D01381DAF6788526919E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.047{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=D8180104854620B3567C6B3150554056,SHA256=474D014198520EFB26E13DD88A9D0345E61DDF826AA7DDF07F2B43A47788A39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.044{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=D8180104854620B3567C6B3150554056,SHA256=474D014198520EFB26E13DD88A9D0345E61DDF826AA7DDF07F2B43A47788A39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.043{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=697899E136C0C0F636EC51239E151A71,SHA256=8AC21EA52876DBFC917964209129668DEF9A4353BCD3399CF1EF0346B2F456E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.042{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=F8B3D1DC198B042F9FCA2AE9BE1D86A5,SHA256=3326C909C09A97BA7833E7837BC23BBF800D7A33BACA4C304A24FF52F5FDC745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.036{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=87F0F5839AA7EAAF188631AF02E0F0DF,SHA256=0B972CD35A33AADA115CC390F549C72321D8CCE92D71F4B993F500A64DB32A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.036{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=A36303C006141E7ACE1D733BA2E865A8,SHA256=5963562906A77937C280BF8F31995051E096F7DD24792F14DA3E6982635082A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.027{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=E1A71C01B5E41D2EC7F6CE4C439E8B04,SHA256=C2A56750FCDDB4C874FA14108FF1CA83C2064A3E83C41E77BF238DB2015DE367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.027{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=FE74F5C38F433736EE7015868CFB159E,SHA256=3F7B3252EF3B6217AD78ADB7007738601CE1EEBCA69F55990B64BF254BD4FC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.027{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=CF6DA818940EAF3CA3CED609685FC35D,SHA256=7F49F9CC1CA65C4DAADBA1E5EBDEE5DAF006685EB146EC287E00C6FDADF6248E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.027{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=F451E99A16EB48FC1518F280C83DE806,SHA256=DC4F07714B032905EC1C3E24B3F7FBA7F7A596894E1F86BA5A31F81A317E11FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.022{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=1E95B11EEBAC0EF41394B231085A7A25,SHA256=D9D628209B77ABECBACB94A7DBA07C4A99D657DC221E9AD46A0099E588234FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.022{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=2391BA966CAC0B59E70F39F9C62B57CE,SHA256=D443363D9192AF9A7ABAA8DE43083F3A051C681C2E33D4F85D5AA60B8F1AF4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.022{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=FC94DC782BF95311A9A853FEB4787D95,SHA256=5A4AD90C1985289AEE24CB341B255128D915FBF75E17D8B06ACD0E9758846089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324890Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:12.909{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EE530F4FE27F37567BA5A11F9A83BF,SHA256=F6B77680CEA508F64D1929085BE4EB5249C2F995148CB8DA808AAA0509FEE3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324889Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:12.257{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-026MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372341Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.700{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372340Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.537{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59009-false95.100.39.41a95-100-39-41.deploy.static.akamaitechnologies.com80http 354300x8000000000000000372339Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.521{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59007-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000372338Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.520{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59008-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000372337Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.516{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59868- 354300x8000000000000000372336Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.474{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59006-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 23542300x8000000000000000372335Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.588{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2F39CFDA7C23772DEDF63B17344778,SHA256=2A154D1208AC10E0E5299223C966823091206A9E3E039136B4A922ABD360F943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372334Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.443{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372333Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.437{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372332Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.436{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372331Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.436{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372330Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.434{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372329Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.432{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372328Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.431{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372327Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.430{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372326Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.430{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372325Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.418{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372324Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.418{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372323Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.418{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372322Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.418{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=FD78780FA7E5EDFCEB818F1FBEF1083A,SHA256=B8DBB28777304C973FF668EF9C1789538FF7959D9875F4617B171D889B810C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372321Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.418{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=12C87EA0C026DEF5BB566AE8CED44D20,SHA256=05297CE56AAD57D547310564BC440F9E2CC54CD75190DD2F08B7EE7DBC97DC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372320Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.418{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=6047B17F6B82B485F1553AB77901898A,SHA256=B08227F05461D399EBA8A14F43E9A91CF3279F421E777529E54D4EC8412D56CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372319Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.168{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local61466- 354300x8000000000000000372318Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.168{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59990- 354300x8000000000000000372317Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.167{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52348- 354300x8000000000000000372316Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.167{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59555- 354300x8000000000000000372315Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.167{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56339- 354300x8000000000000000372314Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.167{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60454- 354300x8000000000000000372313Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.166{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55768- 354300x8000000000000000372312Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.166{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60602- 354300x8000000000000000372311Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.139{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59005-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000372310Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.096{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59004-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000372309Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.095{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59003-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 354300x8000000000000000372308Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.028{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59002-false93.184.220.29-80http 354300x8000000000000000372307Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.028{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52600- 354300x8000000000000000372306Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.025{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53364- 354300x8000000000000000372305Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.002{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-266.attackrange.local60391-false142.250.185.174fra16s51-in-f14.1e100.net443https 354300x8000000000000000372304Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.977{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59001-false142.250.185.174fra16s51-in-f14.1e100.net443https 354300x8000000000000000372303Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.955{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60390- 354300x8000000000000000372302Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:09.954{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56977- 23542300x8000000000000000372301Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.332{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=52F439BB5A7067686FCF320EB9EB77E8,SHA256=FC61FA1BA5B51E1F7399B771DC1559E5A382F7095623116A740AA278F7C0DB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372300Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.331{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=D269FAC01D44C715F336033EA41700E2,SHA256=0F7B6D311CE48AD501FA02A4299F81F243E06E8309B60AC0360FE3396D95EB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372299Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.318{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=E058FB99B58BD6FFED34D0E87A4D31DE,SHA256=C2BD2AB3F6861847C231C44272486A0A4BCEA048AF760C708B5BDEF88875C58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372298Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.318{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372297Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.318{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=C304130FDF80EBEA9B3032FE6E12A58E,SHA256=7F939CEE68C99227D40E1F1AB222071A1B5D5E7BD2023E2226BA6BD9062DC7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372296Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.318{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=4432B562BA87E820735611281B5F0AED,SHA256=90BDEE3AFC882F02DC93B5076679495782FE75FDB35B1B1469533502F1EEC259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372295Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.306{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=8366A72DD1BE14DBEA6BCD1CE1EB18D2,SHA256=04EA92A9E4E6CBB13448A4789594E43092C9A47DB1B3405D9FB3F170E0E38163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372294Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.306{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372293Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.294{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372292Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.294{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372291Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.294{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372290Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.294{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372289Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.294{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372288Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.282{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372287Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.282{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372286Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.282{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372285Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.282{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541A5B64E717036541566E3BB6C299AE,SHA256=A413910EA06ED30EBB15E2FA31B6AE571B3F0862A6FBF35731623F4A4625A3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372284Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.282{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372283Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.282{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372282Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.282{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372281Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.270{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372280Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.270{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372279Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.270{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372278Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.270{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372277Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.258{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372276Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.258{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372275Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.258{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372274Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.258{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372273Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.258{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372272Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.258{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372271Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.258{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372270Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.246{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372269Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.243{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=8366A72DD1BE14DBEA6BCD1CE1EB18D2,SHA256=04EA92A9E4E6CBB13448A4789594E43092C9A47DB1B3405D9FB3F170E0E38163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372268Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.233{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372267Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.128{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6140-619F-A401-000000000F02}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372266Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.128{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372265Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.128{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372264Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.128{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372263Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.128{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372262Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.128{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6140-619F-A401-000000000F02}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372261Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.128{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6140-619F-A401-000000000F02}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.132{27B459FE-6140-619F-A401-000000000F02}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.116{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6522DDCC20F7D3AA88B50EE6800589,SHA256=214F580672CAF87447DC0C747CBC8CA36D495C574DF5D7D0FDCC91E664130ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.104{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=12C87EA0C026DEF5BB566AE8CED44D20,SHA256=05297CE56AAD57D547310564BC440F9E2CC54CD75190DD2F08B7EE7DBC97DC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.092{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.092{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=E058FB99B58BD6FFED34D0E87A4D31DE,SHA256=C2BD2AB3F6861847C231C44272486A0A4BCEA048AF760C708B5BDEF88875C58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.080{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.056{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=52F439BB5A7067686FCF320EB9EB77E8,SHA256=FC61FA1BA5B51E1F7399B771DC1559E5A382F7095623116A740AA278F7C0DB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.003{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324892Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:13.925{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F42D5FBA66C7090EB1039CA170BF8B,SHA256=6716034DF3587F0A758E448FDF4B1CD91B63EC7B924675E9ADC679AF5FF6D1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324891Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:13.270{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372347Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.766{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e89680|C:\Program Files\Mozilla Firefox\xul.dll+e894f5 23542300x8000000000000000372346Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.590{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372345Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:10.558{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59010-false143.204.98.36server-143-204-98-36.fra50.r.cloudfront.net443https 10341000x8000000000000000372344Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.353{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b44a40|C:\Program Files\Mozilla Firefox\xul.dll+b440c6|C:\Program Files\Mozilla Firefox\xul.dll+b3ad07|C:\Program Files\Mozilla Firefox\xul.dll+b453f0|C:\Program Files\Mozilla Firefox\xul.dll+f31839|C:\Program Files\Mozilla Firefox\xul.dll+19a8669|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0|C:\Program Files\Mozilla Firefox\xul.dll+e24fb2|C:\Program Files\Mozilla Firefox\xul.dll+e24b92|C:\Program Files\Mozilla Firefox\xul.dll+18a296a|C:\Program Files\Mozilla Firefox\xul.dll+1a4868a|C:\Program Files\Mozilla Firefox\xul.dll+e8ab6b|C:\Program Files\Mozilla Firefox\xul.dll+192fad2 23542300x8000000000000000372343Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.140{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=416F7E1EDAB630796339160EC4169111,SHA256=ECBACB94681CC83F03D7212EAD23FA75553BE2A0537FF1240C95D7F57877205F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372342Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.101{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825F1EC9012FE5EFFE5EE1BB1D09C5A5,SHA256=B07D19737BA5A12E0CCE70101F6309050EE6A89CDCE7A120B8C3292D34B42AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324893Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:14.925{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B5F563E684A844EB8380B64113E195,SHA256=142DBEFD68AD45A6C6267ECAAAF32F10F0E513858AA38BB55790AFF7C3CFB656,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372391Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.862{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-266.attackrange.local60692-false142.250.184.228fra24s12-in-f4.1e100.net443https 354300x8000000000000000372390Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.858{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60691- 23542300x8000000000000000372389Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:14.826{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372388Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.485{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59070- 354300x8000000000000000372387Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.482{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local62207- 354300x8000000000000000372386Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.478{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59080- 354300x8000000000000000372385Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.477{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60995- 354300x8000000000000000372384Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.475{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56941- 354300x8000000000000000372383Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.475{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57674- 354300x8000000000000000372382Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.475{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56803- 354300x8000000000000000372381Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.473{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52660- 354300x8000000000000000372380Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.472{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55037- 354300x8000000000000000372379Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.471{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local62118- 354300x8000000000000000372378Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.470{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52884- 354300x8000000000000000372377Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.467{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57321- 354300x8000000000000000372376Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.467{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59913- 354300x8000000000000000372375Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.466{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local54526- 354300x8000000000000000372374Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.465{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57664- 354300x8000000000000000372373Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.465{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52767- 354300x8000000000000000372372Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:12.464{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local54329- 354300x8000000000000000372371Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.799{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59012-false93.184.220.29-80http 354300x8000000000000000372370Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.630{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-266.attackrange.local59011-false34.210.41.101ec2-34-210-41-101.us-west-2.compute.amazonaws.com443https 354300x8000000000000000372369Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.475{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local57859- 354300x8000000000000000372368Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.474{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local61365- 354300x8000000000000000372367Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.472{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60170- 354300x8000000000000000372366Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.184{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local52222- 354300x8000000000000000372365Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.183{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local51150- 354300x8000000000000000372364Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:11.183{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56140- 22542200x8000000000000000372363Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.413{27B459FE-613B-619F-9B01-000000000F02}4556e13630.dscb.akamaiedge.net02a02:26f0:1700:195::353e;2a02:26f0:1700:1b0::353e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372362Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.413{27B459FE-613B-619F-9B01-000000000F02}4556www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372361Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.411{27B459FE-613B-619F-9B01-000000000F02}4556youtube-ui.l.google.com02a00:1450:4001:809::200e;2a00:1450:4001:828::200e;2a00:1450:4001:829::200e;2a00:1450:4001:82a::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372360Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.410{27B459FE-613B-619F-9B01-000000000F02}4556youtube-ui.l.google.com0142.250.185.142;142.250.185.174;142.250.185.206;142.250.181.238;172.217.16.142;142.250.184.238;142.250.186.46;142.250.186.78;142.250.186.110;142.250.186.142;172.217.18.110;142.250.186.174;142.250.184.206;216.58.212.142;142.250.185.78;142.250.185.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372359Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.409{27B459FE-613B-619F-9B01-000000000F02}4556www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.174;::ffff:142.250.185.206;::ffff:142.250.181.238;::ffff:172.217.16.142;::ffff:142.250.184.238;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.186.110;::ffff:142.250.186.142;::ffff:172.217.18.110;::ffff:142.250.186.174;::ffff:142.250.184.206;::ffff:216.58.212.142;::ffff:142.250.185.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372358Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.409{27B459FE-613B-619F-9B01-000000000F02}4556e13630.dscb.akamaiedge.net023.201.185.240;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372357Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.407{27B459FE-613B-619F-9B01-000000000F02}4556djvbdz1obemzo.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372356Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.405{27B459FE-613B-619F-9B01-000000000F02}4556e11847.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372355Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.405{27B459FE-613B-619F-9B01-000000000F02}4556github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372354Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.404{27B459FE-613B-619F-9B01-000000000F02}4556djvbdz1obemzo.cloudfront.net052.222.239.60;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372353Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.404{27B459FE-613B-619F-9B01-000000000F02}4556e11847.a.akamaiedge.net0104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372352Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.404{27B459FE-613B-619F-9B01-000000000F02}4556www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 djvbdz1obemzo.cloudfront.net;::ffff:52.222.239.60;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372351Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.404{27B459FE-613B-619F-9B01-000000000F02}4556www.ebay.de0type: 5 ipv4.slot11847.ebay.com.edgekey.net;type: 5 e11847.a.akamaiedge.net;::ffff:104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372350Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.403{27B459FE-613B-619F-9B01-000000000F02}4556github.com0140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372349Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.403{27B459FE-613B-619F-9B01-000000000F02}4556github.com0::ffff:140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000372348Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:14.108{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD1147BF8C31AD17B7EB9A93BCF54F3,SHA256=D3437D1332CB8C58E22D10070BE62754494090212E2D1B41595BE1A4C61BB1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324895Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:15.925{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624B52D93307D5FDAB0006F041768927,SHA256=14E8C3389CAFFC9F0DD30B25CC2FDF3FB7A1A4AB00942C1E8A7875B3E5D4F6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372404Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:15.291{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3349DFE57C7C009CC18C13F2E208393,SHA256=CF59BAE80E3113847DDDE7CC2BEEEB9AABCB88972F0587F3367B120F65228DA9,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000372403Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.423{27B459FE-613B-619F-9B01-000000000F02}4556t.me0149.154.167.99;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372402Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.420{27B459FE-613B-619F-9B01-000000000F02}4556t.me0::ffff:149.154.167.99;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372401Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.420{27B459FE-613B-619F-9B01-000000000F02}4556dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372400Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.416{27B459FE-613B-619F-9B01-000000000F02}4556dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372399Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.415{27B459FE-613B-619F-9B01-000000000F02}4556www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372398Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.414{27B459FE-613B-619F-9B01-000000000F02}4556star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372397Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.413{27B459FE-613B-619F-9B01-000000000F02}4556star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000372396Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:15.185{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\23601MD5=400E1DF53B95E0ED9C5FA669FB83C22C,SHA256=E0A9083BC6904C7690355684922291127A85302FF9516525A6C164A3AC35C0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372395Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:15.185{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\630MD5=969ACDE6CD494B0B5A42D0E8122AD381,SHA256=94A6A7533CBAB77454B7BD83158362E809C669847EB04DEA340E4F06D9E749E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372394Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:15.185{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\18742MD5=2E22B05E9D860E1F0FA10AA89AA8AEAF,SHA256=5DDDFD4F4ECC6694A7D5B034D5CC0BADB1CEB5B3284D22440A08257E965FE53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372393Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:15.182{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\22882MD5=429A55B945FCE763AB8A4616C0F5685D,SHA256=8BA4EDBD8A949965E138EF84F6378E4C7B604FC13960EF22691276BD2C8ACC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372392Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:15.182{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\cache2\doomed\1156MD5=E7423CE87C9DD038ACE299694B18EC57,SHA256=AD72811F69B3D821C26C6F86870ECBBA87DBB14B58060C98C33DD3EFBD11CA09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324894Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:13.711{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50073-false10.0.1.12-8000- 23542300x8000000000000000324896Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:16.940{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63607DAD8E111D6E62B7E67377C62178,SHA256=87FCB5607512E294F9A129240121CA251473B3DE99ACE0C5960BE71E1B51DEDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372412Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.837{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000372411Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.293{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55782- 354300x8000000000000000372410Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.293{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local60228- 22542200x8000000000000000372409Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.801{27B459FE-613B-619F-9B01-000000000F02}4556www.google.com02a00:1450:4001:812::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372408Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.800{27B459FE-613B-619F-9B01-000000000F02}4556www.google.com0142.250.184.228;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372407Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.799{27B459FE-613B-619F-9B01-000000000F02}4556www.google.com0::ffff:142.250.184.228;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000372406Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:13.438{27B459FE-613B-619F-9B01-000000000F02}4556t.me02001:67c:4e8:1033:5:100:0:a;2001:67c:4e8:1033:4:100:0:a;2001:67c:4e8:1033:3:100:0:a;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000372405Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:16.196{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439B8BDC65475EB1F981196EE9242EB2,SHA256=FFD0C4629DC13D3B37B3DFF4F93579EBCAEB94DAB4C64D7EA13EECA7355D6209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324897Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:17.971{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DEA52A5B23A1FEFF71BA4C5255C161,SHA256=08EB3A2074707DF4F205BB63A0FE78CC6EAB08C685814A5B3761D7ADE21418DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372414Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:15.044{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59014-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372413Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:17.207{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E55F5A7E7DAD0056D1043C65BA688FD,SHA256=ED103455AE0E68688DDDB74DFA7F8881799FF4DEBCA1907788D3DEA2A24EDED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372448Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.389{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B026BFA35968F7CEE5FC3B00B53B4E3,SHA256=69B01F68F76FCAEDC486685181CF7B0E34CE7378852EEC5E719545A39E4B074F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372447Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372446Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372445Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372444Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372443Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372442Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372441Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372440Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372439Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.206{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372438Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372437Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372436Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372435Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372434Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372433Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372432Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372431Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372430Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372429Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372428Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372427Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372426Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372425Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372424Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372423Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372422Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372421Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372420Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372419Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372418Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372417Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372416Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372415Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:18.202{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372449Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:19.396{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DAF25F97C7D47AE1BF522C58CA5138,SHA256=34B1DBA71F653F385DE6081C5608026A043FC0353A81180D7A1A128D1DAA04D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324898Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:19.018{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683FCBF158B0DD6CE43C8A7A8A65FC36,SHA256=4F7C6BB3B2DE3C0BBB4F2C4C5EA06DD17348D512A9B397A72BAA0A9DBF1C97B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372452Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:20.543{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 23542300x8000000000000000372451Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:20.399{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD896A8B8487C434717B7BC302CE7DD6,SHA256=D4F8A41285B1C6F1BCEC5CAF8780D2E8BBB624D4F37E9D8AD113D4D83200EA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324900Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:18.789{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50074-false10.0.1.12-8000- 23542300x8000000000000000324899Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:20.032{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21A98615EE3FD0E963F75F94E8400EB,SHA256=AEF8C6AA873C883E70C641161F2F717B94F8588589C922409ECAA73B2AA8C599,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372450Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:20.365{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 23542300x8000000000000000372453Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:21.414{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF67F49E51C7DFC3790B63211DF9EED,SHA256=514C0C7C0E7E5DFC52E5DDE876160981600E3F580064E9AB7F03028179A2D0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324901Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:21.031{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBEF48225BE4F15D544E81FBB596770,SHA256=3D33A7EB3F9FA42DBC1349D3F26BB810B186142D1295E04218D341BB9002393E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324902Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:22.094{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89EA153473C8500FF174BCF15459B5B7,SHA256=3E20691ECC27E65D8B2010A5391D43339A7D0C55183F62260B3809FC906BBDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372457Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:22.483{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED7280ABDF4DB1BE76A974490570433,SHA256=EAD46613D2ADC1C9FFF6117D9A06DEA87E52ABD18BD89432BF324A0784750107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372456Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:22.183{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372455Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:22.183{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372454Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:22.179{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372462Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:23.767{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=61E72A8AC1B2CEB57ABDD80C9962B231,SHA256=729758CE7C058CB4FC844BC004B6F0030471706C55097E40DD2B018A1C268A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372461Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:23.488{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4643A9EA7E3EEAFB62900F81D59899,SHA256=5E68160E7FF3FE51B7E289B33CFDA23C6800D648E7BB7A3F9580DD2B250F9C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324903Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:23.125{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF6AE90E3A4F00734F40741208D3D27,SHA256=490B2B7290D91B0405BF48C5EA519093A73A76D2E3F115E3954F609696B2E5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372460Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:21.040{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372459Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:23.120{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=BBDC4BD4AB0CB2A49D4F61ED8D37A840,SHA256=469A74F5278B73FBCB7507B3ABCDC30A7371C34AC2EF50261335759348130081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372458Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:23.120{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C9BAF648E2A8B2B03DE429B959DAF9C8,SHA256=C653BCCF9FB469AC177CEBBB6B6EA1E9AC036E64077D244AB5933DF8E6B742FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372463Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:24.490{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD4A16E015280802A6B43C804065D58,SHA256=2D8EF8C89AE62B7D4DB5D2065F56F6959B67E5A0C8B4E9719EAF9A2832823C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324904Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:24.124{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075FA228A1E8228B4655D4F7A31F57F4,SHA256=4F97B3031A34933408FEC1C06C3702DFDFBFBFC0172A583F8162CDA953CC738D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372464Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:25.495{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C518FA7A162DC89A34774FA0BF7EF7CF,SHA256=CD33226728AADE77CEB956A05CFE5674C80F41D98AF4C10DE10C101C7789917C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324906Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:23.881{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50075-false10.0.1.12-8000- 23542300x8000000000000000324905Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:25.140{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E210E8B05A269F473C2715E86AC9069,SHA256=185BB3C138C1C8BF761FCBF3799A7352CBD7F1929E06C50F3171521B400F4FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372465Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:26.496{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCA46B70BFCD059EAE0E9E8498AB1C6,SHA256=A6B52BB8D08B3E6F02B7CABD100358DC776C8DFF92F2B9B15804A5E5DC3B5C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324907Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:26.140{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D82E7CE68E865953484F38F14B8B329,SHA256=F677982AE642C841497560811FFAA491366548D43BC83BEDE0D36E6F61551337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372466Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:27.502{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8181C89DB613E64ED1CB4A989EBCC316,SHA256=D5CB90F9525EE594B29415A72238FA1396EAF3A969D14D0E58DCB77D3B950209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324908Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:27.139{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83CA4CF73BB57AD32BEC62ACFDE75C3,SHA256=96EBE9076DBB44FC9C416448C43B3F094B0D6400B4CE9E333580949CD39CCB8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372468Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:26.205{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372467Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:28.507{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A891DCBFD25966D3F0B2DE69A0746A89,SHA256=433C2947AF76A3C0CC23824BD75ADADF7F27E284A39BEAA35A799DD92C35425C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324909Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:28.155{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BEE575ABC38C50DA947F24BFCC68D2,SHA256=9657B6E7B9B96B26AE362F03DE86335605576A0D88E8A2E492713C8E5D2C4CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372469Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:29.513{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6218D03D1D948AF59365218CC28C634F,SHA256=61B3DACED38397811A76F548026BAB509B7737F68E1199DAB82A622D90E9E794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324911Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:29.373{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=24FDCAAAF1FE748BBC14F2248258BC88,SHA256=0CAA4A6204BF84E811C9F1CCF3AB9578B87B2ABF68E362ECA7B600AFF9A73F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324910Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:29.155{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC784128E862C7CDBF3EFFA8052B65E,SHA256=68EB48DA3C13F664240E1FBAF9EEF74B1B652C6E5885D104EE0209D3233D0622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372470Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:30.514{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8B0622B6D4ED7B2B1A16974773B53D,SHA256=A6DDF8074E877BE13B03F7831682F791551F37756D5CDD92742CEF239BE113FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324913Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:30.342{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324912Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:30.170{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E1711D3539C3802093E4CD82874B6A,SHA256=56BADBDAEED4B8D10A0AB3235BFBB7F647D090A262FE084FC1C359B7C70AA925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372471Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:31.517{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AC6180673466AEAAD397319B3E564F,SHA256=356DA6E08D6F37D6DABCE5831591DE1ACA230360709DA77617262FAE6B55F4A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324916Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:29.944{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50077-false10.0.1.12-8089- 354300x8000000000000000324915Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:29.866{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50076-false10.0.1.12-8000- 23542300x8000000000000000324914Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:31.170{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E564DDE31C18F319CF3E80F41593B5,SHA256=97D7995250ED4CDBB50C3AB950C04820A12E9B075B2AAB00C87D252EF89D5F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372473Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:32.519{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B055C55837A514C4B6A3B5F903AE16,SHA256=52ECBC6FE7CA500E2E86733DFB5CF09931F28C0346DF798EC29D6CDAE951D7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324917Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:32.170{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE8CC97A0958EF668B7C38C96C91299,SHA256=8DDD067195DE838D7734539FD1AEAE40406EC3AFA2A43FE306F35B60AF7A606F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372472Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:32.397{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-026MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372476Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:33.617{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7103D3B8D157AF6A5D4D20A2F6131C92,SHA256=9A762F12333439F5940CBD37BA19A604E9BF547225953DCE9015B0B199006740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324918Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:33.201{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F592785B6A8F6427DC3A71F7368C7A29,SHA256=40F68779C9A9B9358268E3C8022E94F0D26C01451F3A0BFE1F2C3DF69174EB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372475Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:33.398{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372474Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:33.092{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=6C2CB0C0D5E9CF98BDD1541C0C908B0A,SHA256=1800A86352EF66F7BFB2D9D26E5F2D7638E8930CE63F8DDF8C2A33021B9B5760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372479Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:34.622{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0426995927ECC3BB3CBCAA19361BBD6,SHA256=2F845FF9AF0AAF58766CADF71106C93C1035A376517E13A215141F996CAE69B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324919Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:34.200{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396A7F72582C0BAA1A3518456E0478DA,SHA256=7B6F0A2E3C703B602D4C65704F59F5C7233D4612F0DCC266DA9A583C2E2FE055,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372478Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:32.153{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372477Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:34.473{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FF8D9A735FBF6DF65046F5792C9D86DB,SHA256=D05E62686DF83D59FA76B84CAD59CA4B47DFDD794E14370AC9D8ACCE22FAEF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372480Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:35.631{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180A20CEC91C444092AB35DC762D99A6,SHA256=5971F08CBB1A4E16C7810C6B7BD049FE97E27A0C2BB7422181FDF3B73FBE7BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324920Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:35.200{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444FB013A6D0D2ACB140392B5A1A292E,SHA256=7BF58E8227BCE6B5B5C81CEB7BDAAFF4D306E1941D307C11B5AE6110D0063546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372481Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:36.644{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8DE502A3051D960A16AB918236E7D9,SHA256=8310375D4BC40A24F268CF0C46155379E2BE2B2EEB13D083B807818B403E7A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324921Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:36.231{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D95B44AC2DDE1CCB6199E9EA084CF8,SHA256=3B892465951C363A3D786C185F11105D4E6DB5ABA99CB767B3349A18817C3AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372482Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:37.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC5B8189D7C9409D0E92F11C1B70C48,SHA256=0140B755E32DB0FBFFC29B79AA6D2AAEE86B0546E2CCC90775F5A73681B43BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324924Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:35.604{99D2EDAA-5AA3-619F-0100-000000001002}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-61.attackrange.local138netbios-dgm 354300x8000000000000000324923Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:35.604{99D2EDAA-5AA3-619F-0100-000000001002}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-61.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000324922Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:37.247{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21504970A43C0B4DBA72BA713587F4A6,SHA256=A128E4BF2563EDDDDF5D97DB6EF6F6880222822DC6E296F1512B77E5CD488834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372483Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:38.666{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C4FB613677B8F7384980EFA6BA2437,SHA256=5D7CD1941314626E8312864E6319B7628C236EF5DACE18B023E91A5A5E8DEB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324925Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:38.278{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A114BB7FEF66CD88D8C8862E21F0B926,SHA256=B153BBF02BDFEF94FE9F7E02FAB28A53CDD68F2039986983249428B5784F793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372485Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:39.668{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDF4D3EB9B307FE3B970269FB1F81DE,SHA256=B59D48EE92E783478895017E700772484651C458EBB1E8035F9B239C1C6B38E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324927Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:39.340{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F93FDA206DF93CF1DB57A54023B80F,SHA256=E26ED22EEF39131995B9DE03E5F7EECF64F1AECE5703C5CFFD2BEE08B184BA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372484Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:39.592{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\thumbnails\d31fbd1c52ab2c189e708008e14bfeb7.pngMD5=4AC1F7493792AEED0A5A1C79BC7BFE57,SHA256=1CD6EB549B45D3BEA587E9D5DB1E41CD456A61D2BA3595FC544927F35EDB72AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324926Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:35.850{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50078-false10.0.1.12-8000- 23542300x8000000000000000372489Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:40.954{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372488Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:40.673{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BEA48626D42B6DCAF7B34EEA2B4B90,SHA256=990596919E0587B7A0319D5928E7662A82F2B2D129A678EE92EEE652634EE0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324928Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:40.355{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD457E74B922E9F20CF4C2A5DBAB028B,SHA256=E8EF615B541CFEF827575667A5C29F3C94C53FD96BBFD725750016C2BE941BE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372487Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:38.076{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372486Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:40.086{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372492Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:41.683{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FB87B5E4CC44A53D52354BD6BB5EB5,SHA256=377269205BE6E57088F982FBF3BBF4538F08FD5ADF7AA6583E4F763166CA9411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324929Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:41.354{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E15BD3CA16F3A323E3AA50434FFBEC,SHA256=B619460EAAA69DCA988BC206B9242DE3E525EC5488880ADD787680706B295797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372491Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:41.542{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372490Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:41.542{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372493Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:42.860{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05A56297A65B6EF979ADD00814BF66C,SHA256=8497E2997A5F20A914C5ABE2D64816BC905DA48554FE2C9F0E3D9ABD9ED02CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324930Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:42.386{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A74C65CFEEDC03273DDAF49862F0380,SHA256=C54E3C4CA9CCDCBA5AE8737AE3BBD5AFC162628B282A6C824C209FF94649E59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372494Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:43.865{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD937068154144181F5ACA8061FB741E,SHA256=2116F0A13308E9AFF58352D0B95B92A425CF42C4F6C8964FE7B5F77E01E21B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324945Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-615F-619F-5901-000000001002}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324944Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324943Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324942Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324941Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324940Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324939Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324938Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324937Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324936Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324935Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-615F-619F-5901-000000001002}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324934Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.510{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-615F-619F-5901-000000001002}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324933Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.511{99D2EDAA-615F-619F-5901-000000001002}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324932Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:43.401{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2472908D2415194700114C1EF036202,SHA256=92E570AFFD6D3D930B909C0760C72469B1B02E91FAEB0DA145DA882F60966BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000324931Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:40.880{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50079-false10.0.1.12-8000- 23542300x8000000000000000372495Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:44.867{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C4FCCA7027011DECC04234E12C2F91,SHA256=8ED6C86F3C4C2358E4113604D2D6E0E4614B4CDDC770DFC99C86A375EE085E02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324962Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.713{99D2EDAA-6160-619F-5A01-000000001002}35123972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000324961Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.541{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD4F3C1DA381017E2F17B960EDDA376,SHA256=91971154D209BB68B0D950E2D41DBB06F3110A7146AEA135811741356BE5DEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324960Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.541{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CC378253619500CA19C8A85108EE0F0,SHA256=444BF1A365C6342661A987E33B868911D3A335ACA0A6F3D4E513AF0E8C4AA2CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324959Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6160-619F-5A01-000000001002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324958Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324957Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324956Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324955Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324954Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324953Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324952Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324951Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324950Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324949Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6160-619F-5A01-000000001002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324948Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.510{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6160-619F-5A01-000000001002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324947Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.511{99D2EDAA-6160-619F-5A01-000000001002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324946Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:44.432{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B8390C017CC21AF97D080768569812,SHA256=8CD29B6DBEC239D1DF93F65DA123038F1266795837C26B2D50245D3EEB8739A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372503Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.872{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE14B1230491592089E4B9AE596A131,SHA256=777189FC5E78B3017EF6AAAF94550FD69B082DB959542BF593094A9EAB4EB6E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324976Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6161-619F-5B01-000000001002}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324975Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324974Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324973Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324972Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324971Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324970Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324969Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324968Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324967Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324966Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-6161-619F-5B01-000000001002}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324965Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.760{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6161-619F-5B01-000000001002}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324964Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.761{99D2EDAA-6161-619F-5B01-000000001002}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324963Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:45.463{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A90D1DAA3D7F260328E45C0BA1E6BEF,SHA256=2EE5CABE3FC0997A1DA71777E4A1BF6DC890FA15A2289D960AB265E03BB492F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372502Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.616{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372501Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.616{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372500Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.616{27B459FE-5C05-619F-B200-000000000F02}4748692C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372499Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.608{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372498Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.608{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372497Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.608{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372496Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:45.608{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372505Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:46.882{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF85A984F58892B68F2C6870B055904,SHA256=EDC45EDE5CC00EA5E40245EF6EFF3295D432B32C905E9EB01613B5EC32ECFCAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324978Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:46.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD4F3C1DA381017E2F17B960EDDA376,SHA256=91971154D209BB68B0D950E2D41DBB06F3110A7146AEA135811741356BE5DEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324977Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:46.463{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E88E618D8695841407AE1CF6F67A18,SHA256=2DC44D911316AB5EDEB98AD196C452FEFFD6A9E23BEBF718658B0F29A29F7EF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372504Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:44.076{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372506Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:47.883{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25AA2E266A304D2799B19D8D89A2D4E,SHA256=9648DDDB7174DF23FE9725E4B059CE1B019C2EE909B85A8E70129FC1A87B26F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000324993Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.588{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F7281590F603C9D1B52CFBD54A82D0,SHA256=9E4B597DE0374364C696E3D21E17C9EE27446846F4480913EF485A5137C19E2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000324992Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.385{99D2EDAA-6163-619F-5C01-000000001002}29042612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324991Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6163-619F-5C01-000000001002}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324990Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324989Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324988Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324987Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324986Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324985Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324984Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324983Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324982Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324981Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-6163-619F-5C01-000000001002}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324980Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.213{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6163-619F-5C01-000000001002}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324979Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:47.214{99D2EDAA-6163-619F-5C01-000000001002}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000325009Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.759{99D2EDAA-6164-619F-5D01-000000001002}9562856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000325008Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.619{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7EC56CB98B49DD803A5006368C23F4,SHA256=FDB88460832F741E5878ABEBFC791D8B0DAD52790D05E9CC4EFEA72B9C9043EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372507Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:48.884{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2587903BB40AD13BF14A98025DDF4A20,SHA256=0F4107F535C04238BC8A884DC71B494DD11D58E405EFBDBC451D1A35FE5D81B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325007Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6164-619F-5D01-000000001002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325006Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325005Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325004Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325003Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325002Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325001Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325000Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324999Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324998Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324997Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6164-619F-5D01-000000001002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000324996Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6164-619F-5D01-000000001002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000324995Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.588{99D2EDAA-6164-619F-5D01-000000001002}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000324994Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:48.385{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39569B0D886286968B02E1739342CFB8,SHA256=42837855CE6F34FACB5B29E75773068A52E087A572A556A07CA789D1792D5075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325026Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.634{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE9E12A8B4FD1724513A6A176547ABF,SHA256=064869FC54A14BD73EE9162E53CBEA589C3FBDF42E2A262909CE149E0522085D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372508Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:49.910{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B50BC8802E1EE46616D7CD280DAD28,SHA256=8E2B4B752B6DDC7F1AC9D53E9DA9A60AAC272232DBAB92A016B228F9E41516D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325025Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.588{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7B85AC168E8330654D0DB41B46F8CE,SHA256=82B23A03F9A3163C8FDC0D829C547F9757F143114C22FA9899F7DFEEBB2C80AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325024Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.525{99D2EDAA-6165-619F-5E01-000000001002}30083816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325023Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6165-619F-5E01-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325022Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325021Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325020Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325019Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325018Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325017Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325016Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325015Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325014Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325013Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6165-619F-5E01-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325012Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6165-619F-5E01-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325011Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:49.338{99D2EDAA-6165-619F-5E01-000000001002}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000325010Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:46.662{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50080-false10.0.1.12-8000- 23542300x8000000000000000325040Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.744{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E022F9864EAD8D76220F1E611E18A8,SHA256=2BC18AF08D66C08D5BB3B0E203066B7FBA7F25F7D770824D85BBE75F809138E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372509Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:50.928{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF0F9ED1DD0982DF1FB448ACDC8D64C,SHA256=974EA0A9AA5FEDB46EFC96C66BF860BFC20CD823139BC75A84C8C68F3B6EDA66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325039Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-6166-619F-5F01-000000001002}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325038Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325037Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325036Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325035Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325034Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325033Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325032Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325031Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325030Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325029Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-6166-619F-5F01-000000001002}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325028Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.541{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-6166-619F-5F01-000000001002}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325027Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:50.542{99D2EDAA-6166-619F-5F01-000000001002}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372511Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:51.944{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B926AD5FB5A313B1590DF0A892BC54,SHA256=0D6C5C140060E8842B38156B22AC4A5C4F5A240AD950F33BA8D1B71921C9C3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325042Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:51.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1330D5EF12E8F0B7967C4383C3514C26,SHA256=6ECA81F5341B8DA4862D86D297757960DDBF8EB74108FB0F399C89337F7AE5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325041Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:51.759{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=214A70997604B43AE11CF91684237A1A,SHA256=AA06ECF8C32C8E57830FDB475629CA84BC05375183422AB2EC97D68D78FA3642,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372510Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:49.254{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372513Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:52.944{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950CB086DFDAC8FB3794DEFD569302C3,SHA256=915B6272C25F562218D5E9E72A370381FF78FC366CD6FFE3AADC822D6F2A3CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325043Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:52.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF8EA255B390B7F3F0DA18B8AF43F90,SHA256=6ED2BCC96B4EEB08BBAF7600B0BDB70B1ED756B8E54084E5177095B61459A866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372512Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:52.291{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\xulstore.jsonMD5=2A3CC2404FD9A14E62E290A4D760AD16,SHA256=6B7B2F2D838041111013F7ABE686644F4259441D23BD63C4BB04FBAF6F1B7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325045Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:53.790{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F67585CA36FE20E39F6FDD165E3E05,SHA256=2667077670D1AA5E9F1D8AAB530B7B98379B910248BC87DCAF72D14B83C82A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372514Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:53.960{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1EFB9987F634827724229BD67A957B,SHA256=6A2EA5FEAFA13FDE5958B271EBBE034F1907967FF83A255E8E80F91BDDC98395,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325044Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:51.724{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50081-false10.0.1.12-8000- 23542300x8000000000000000325046Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:54.805{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E95DEB44E714D94B2A53B3173D632B3,SHA256=E8E4D56A9F5D0C104E386EE8E4BBF9A0C4DDA493712CB14B7DAF9359F9709C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372515Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:54.990{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99886BE9BBE347B4A842E445A9359897,SHA256=A4C501DFAE05195D17D85538A67D2105258B8C2BA8EAF0527DA3FB8E59F6AF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325047Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:55.805{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8150B7BE8C1869A82184D6D98A499E5,SHA256=554AC2EF774545C59AFEF139D67C3499F0BBBC8C5CB1AE44A0303BA8A08130EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325048Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:56.836{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948BCBECF686FCAF64DBA9A3B2ACB9AB,SHA256=094129D7EF5EA2EF0EF3F50E1CC89C4B5EC62821B381C665FD6EECAD3121EB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372516Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:56.006{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A318B5F36E631508F378E992084BA9,SHA256=2892B3D2CADBEEE1CC20275FC8837E388BCFA9E095E08C26E1CE458C6926E6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325049Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:57.836{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0D8520BFDD1A6AED3577FEBEDE9EC5,SHA256=08F6141506D53EBE2F597D11F56DC365222AB96B65AFF1076FDDE86F465571A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372518Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:55.213{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372517Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:57.028{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1CB0FA3A757D1604613647BF221F4E,SHA256=54D04B7CFF35CF19A9C66C7AA6524431084704F98DF608F08CA031F604B74460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325050Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:58.836{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F3B7B3FDB02374CB5FB3A5A6AE46E4,SHA256=09154ECEAFED1B556E50912E55BA6649868B6532599116B0BD87C35116B8D5E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372520Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:58.427{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5C04-619F-A900-000000000F02}4220C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372519Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:58.043{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460F48AD0C3F1EC478E40DE125A7D024,SHA256=DA7EADB6215D9E5F76FE6B2AF667712BEA2A26D927CC8A2DB0ADB241FE09710D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325052Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:59.854{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F63FC7F4BFC3E4C6B85EA437AF329E3,SHA256=8A600BB398040739928695002DE5F72589384586B42750BE8D016693FE0F61F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325051Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:11:56.834{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50082-false10.0.1.12-8000- 23542300x8000000000000000372521Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:11:59.073{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C06B826F1B6E0ED4FC5087623B56A0B,SHA256=C089107805C02BF9482E147B3440DD5773C93C54593C3953AB6EFEB522702C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325053Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:00.916{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B76AEE93DFB701AAF3A2D12B6EE05A,SHA256=E3D84ADF4527AD06BB73A8FE258E18276124E0952F2BF951224EF5D07FBB2FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372522Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:00.074{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7BFC9E22815DAB605C6A88BB540C74,SHA256=A9341B983A4B3162776A7FE064FB0628CA329834620230E9B231EAB50E58CE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325054Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:01.932{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034133A3BD8C1A4496DFE71BFB810173,SHA256=E2FF8D064A86CDD37D566CC4FB4EF4D0494C72CD1F64322771F4C76D3BFBFBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372523Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:01.107{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59178F81CFA7AB84258E8150B6A916B,SHA256=03435CC7AA51C642BC4F82011B9831392565C3CA5DA799FA5B8B16957CF5FFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325055Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:02.932{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD2ED748555AA76B2146DF8B5014458,SHA256=6F14FB80A16A9C022540FF90793ACBFDAE8BC69A60064C9421094E3504CEF946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372524Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:02.128{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A6CD1EFD8CE366D924F5782D4529EF,SHA256=78957C07B8AA6836816926F9527AA7116EB4CFF96B310969E6044A2E5F59F3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325056Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:03.963{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA018B6D2CB6FCEACA25586A0700DFF,SHA256=0A1C4E2EF3DCDD9A88A17567CB260FEEF58C4AD6617128A0105A8A479512BBBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372526Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:01.215{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372525Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:03.142{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9F7D5E737CC54AA31127BDC24FB517,SHA256=532F1BE222FD2B67724EE9C602314E7A225452A6C1F1C040877A468D84EF4020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325058Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:04.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F64A9E6F50FFA2BABDDA9CCD4D9B42,SHA256=8403BDDF487A02A61F6EFAAD94686DF022ADD054E66BA5F057D0D26F869172C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325057Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:02.695{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50083-false10.0.1.12-8000- 354300x8000000000000000372539Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:02.698{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59023-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000372538Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:02.698{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59023-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000372537Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.701{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE5D97C0C551E9019ADBBF4B51AD2CFE,SHA256=25B5DA29B56C7C049309AD4BF9A60BC6C659704BB6ACC9F784E58817D37D126B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372536Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.691{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F98D811D01DB9BB5F8F27E36834CA0,SHA256=E4C72217E2AC362167F2AB170FFB7F7097B7A1DFF00E7DBC645D7C46DD8C47E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372535Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.442{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6174-619F-A501-000000000F02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372534Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372533Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372532Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372531Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.442{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372530Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.442{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-6174-619F-A501-000000000F02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372529Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.442{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6174-619F-A501-000000000F02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372528Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.443{27B459FE-6174-619F-A501-000000000F02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372527Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:04.208{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B7750B80BA85444219FB67F2D42B54,SHA256=82FBEA33C87907676569F50404EBA928098B96854FCA8CB817565322724CD407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325059Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:05.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A65172DEB12963CCFE87ED735C25F7,SHA256=57B050B2C5972993CFFCEA92E611FADF0C7BBBC4ADF7320F8C480F9C9E968C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372549Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.551{27B459FE-6175-619F-A601-000000000F02}54566072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372548Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.313{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6175-619F-A601-000000000F02}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372547Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.296{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6175-619F-A601-000000000F02}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372546Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.295{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372545Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.295{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372544Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.295{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372543Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.295{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372542Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.294{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6175-619F-A601-000000000F02}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372541Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.285{27B459FE-6175-619F-A601-000000000F02}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372540Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:05.229{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2F9507B6A92597D9E027BBF59D648F,SHA256=268605EC828FAC90C68CE7B2CDEBF995E4FB49D24D926CA52294633D8C292C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372559Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.384{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6176-619F-A701-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372558Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.384{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372557Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.384{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372556Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.384{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372555Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.384{27B459FE-5AC4-619F-0C00-000000000F02}8365188C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372554Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.384{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6176-619F-A701-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372553Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.384{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6176-619F-A701-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372552Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.386{27B459FE-6176-619F-A701-000000000F02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372551Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.300{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE5D97C0C551E9019ADBBF4B51AD2CFE,SHA256=25B5DA29B56C7C049309AD4BF9A60BC6C659704BB6ACC9F784E58817D37D126B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372550Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:06.267{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E8826455BE9987E3E99922221303D4,SHA256=174A5FCEE70841C26501AA5ECB679738B2DFCC90EA4831808FC4A8A5E35F9BFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372571Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.984{27B459FE-5AC2-619F-0B00-000000000F02}6402760C:\Windows\system32\lsass.exe{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372570Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.984{27B459FE-5AC2-619F-0B00-000000000F02}6402760C:\Windows\system32\lsass.exe{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372569Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.969{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1213f2|C:\Windows\System32\windows.storage.dll+1218c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824 10341000x8000000000000000372568Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.947{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+121509|C:\Windows\System32\windows.storage.dll+121627|C:\Windows\System32\windows.storage.dll+121b58|C:\Windows\System32\windows.storage.dll+121f0b|C:\Windows\System32\windows.storage.dll+c37e5|C:\Windows\System32\windows.storage.dll+c5196|C:\Windows\System32\windows.storage.dll+c5a11|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e6dc|C:\Windows\System32\SHELL32.dll+6e225|C:\Windows\System32\SHELL32.dll+6ed3d|C:\Windows\System32\SHELL32.dll+7235f|C:\Windows\System32\SHELL32.dll+13fb5e|C:\Windows\System32\SHELL32.dll+13f776|C:\Windows\System32\SHELL32.dll+13f1f3|C:\Windows\System32\SHELL32.dll+13ee0b 10341000x8000000000000000372567Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.947{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+121485|C:\Windows\System32\windows.storage.dll+121627|C:\Windows\System32\windows.storage.dll+121b58|C:\Windows\System32\windows.storage.dll+121f0b|C:\Windows\System32\windows.storage.dll+c37e5|C:\Windows\System32\windows.storage.dll+c5196|C:\Windows\System32\windows.storage.dll+c5a11|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e6dc|C:\Windows\System32\SHELL32.dll+6e225|C:\Windows\System32\SHELL32.dll+6ed3d|C:\Windows\System32\SHELL32.dll+7235f|C:\Windows\System32\SHELL32.dll+13fb5e|C:\Windows\System32\SHELL32.dll+13f776|C:\Windows\System32\SHELL32.dll+13f1f3|C:\Windows\System32\SHELL32.dll+13ee0b 10341000x8000000000000000372566Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.947{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+121469|C:\Windows\System32\windows.storage.dll+121627|C:\Windows\System32\windows.storage.dll+121b58|C:\Windows\System32\windows.storage.dll+121f0b|C:\Windows\System32\windows.storage.dll+c37e5|C:\Windows\System32\windows.storage.dll+c5196|C:\Windows\System32\windows.storage.dll+c5a11|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e6dc|C:\Windows\System32\SHELL32.dll+6e225|C:\Windows\System32\SHELL32.dll+6ed3d|C:\Windows\System32\SHELL32.dll+7235f 10341000x8000000000000000372565Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.947{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+121469|C:\Windows\System32\windows.storage.dll+121627|C:\Windows\System32\windows.storage.dll+121b58|C:\Windows\System32\windows.storage.dll+121f0b|C:\Windows\System32\windows.storage.dll+c37e5|C:\Windows\System32\windows.storage.dll+c5196|C:\Windows\System32\windows.storage.dll+c5a11|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e6dc|C:\Windows\System32\SHELL32.dll+6e225|C:\Windows\System32\SHELL32.dll+6ed3d|C:\Windows\System32\SHELL32.dll+7235f|C:\Windows\System32\SHELL32.dll+13fb5e 10341000x8000000000000000372564Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.800{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d15ca|C:\Windows\System32\SHELL32.dll+84a44|C:\Windows\System32\SHELL32.dll+822bb|C:\Windows\System32\SHELL32.dll+81d9d|C:\Windows\System32\SHELL32.dll+b4989|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d579|C:\Program Files\Notepad++\notepad++.exe+16b083|C:\Program Files\Notepad++\notepad++.exe+208b3a|C:\Program Files\Notepad++\notepad++.exe+208306|C:\Program Files\Notepad++\notepad++.exe+1f81f5|C:\Program Files\Notepad++\notepad++.exe+1e4b4d|C:\Program Files\Notepad++\notepad++.exe+1e8cbb|C:\Program Files\Notepad++\notepad++.exe+1e3bf1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 10341000x8000000000000000372563Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.800{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d15b8|C:\Windows\System32\SHELL32.dll+84a44|C:\Windows\System32\SHELL32.dll+822bb|C:\Windows\System32\SHELL32.dll+81d9d|C:\Windows\System32\SHELL32.dll+b4989|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d579|C:\Program Files\Notepad++\notepad++.exe+16b083|C:\Program Files\Notepad++\notepad++.exe+208b3a|C:\Program Files\Notepad++\notepad++.exe+208306|C:\Program Files\Notepad++\notepad++.exe+1f81f5|C:\Program Files\Notepad++\notepad++.exe+1e4b4d|C:\Program Files\Notepad++\notepad++.exe+1e8cbb|C:\Program Files\Notepad++\notepad++.exe+1e3bf1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7 10341000x8000000000000000372562Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.800{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d15b8|C:\Windows\System32\SHELL32.dll+84a44|C:\Windows\System32\SHELL32.dll+822bb|C:\Windows\System32\SHELL32.dll+81d9d|C:\Windows\System32\SHELL32.dll+b4989|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d579|C:\Program Files\Notepad++\notepad++.exe+16b083|C:\Program Files\Notepad++\notepad++.exe+208b3a|C:\Program Files\Notepad++\notepad++.exe+208306|C:\Program Files\Notepad++\notepad++.exe+1f81f5|C:\Program Files\Notepad++\notepad++.exe+1e4b4d|C:\Program Files\Notepad++\notepad++.exe+1e8cbb|C:\Program Files\Notepad++\notepad++.exe+1e3bf1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 23542300x8000000000000000372561Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.384{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE3DA26B8B090D0B7DDE1D78D45EC625,SHA256=91DE8A1C6D426F10A882F11F3C4025B911D1294ACA10AF31F82B755F9858799D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372560Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.284{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FDBCA1CFCC274AAEFBE5DD04EA4D3E,SHA256=F7F9E90D439A1B32139C853C567E8B512806DCDEF3153865FB1146BD5887090F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325060Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:06.994{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE494093EAEE87C4629EDA297B55F41,SHA256=FFE13FD057BF197385B1E1723B68E70B7BCD75B2EBCAD8BAFFF15829E80DAB97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372637Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.764{27B459FE-6178-619F-A801-000000000F02}29046072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372636Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.632{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEABAA75D3416BB8E022758AEA8F9EF,SHA256=7BCF78EF4C2C7A0B7086F3CD06271BA7857BEC741B4A4C83B3F23B19CAA708A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372635Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.600{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C0130349B6C8CBBB558AB52BB188B4,SHA256=49591D0ADC16A15EA804EC5275BF4F3E9242B3F5D056EDBD73D43063173EA1F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372634Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6178-619F-A801-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372633Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372632Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372631Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372630Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372629Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-6178-619F-A801-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372628Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6178-619F-A801-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372627Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.532{27B459FE-6178-619F-A801-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000372626Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.431{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372625Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.431{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\System32\SHELL32.dll+83704|C:\Windows\System32\SHELL32.dll+835ed|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d579|C:\Program Files\Notepad++\notepad++.exe+16b083|C:\Program Files\Notepad++\notepad++.exe+208b3a|C:\Program Files\Notepad++\notepad++.exe+208306 10341000x8000000000000000372624Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.431{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\System32\SHELL32.dll+83704|C:\Windows\System32\SHELL32.dll+835ed|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d579|C:\Program Files\Notepad++\notepad++.exe+16b083|C:\Program Files\Notepad++\notepad++.exe+208b3a|C:\Program Files\Notepad++\notepad++.exe+208306 10341000x8000000000000000372623Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.431{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\System32\SHELL32.dll+83704|C:\Windows\System32\SHELL32.dll+835ed|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x8000000000000000372622Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.431{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\System32\SHELL32.dll+83704|C:\Windows\System32\SHELL32.dll+835ed|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d579 23542300x8000000000000000325061Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:08.009{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9677795D9EE7AEE962764B5B5FC6A06,SHA256=55DA8AB3B4E37F19B7DBE5F3D1BA5B4C3929AA4165715F18EC422D6DC415117E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372621Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372620Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372619Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372618Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372617Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372616Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372615Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372614Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372613Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372612Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.232{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372611Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372610Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372609Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372608Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372607Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372606Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372605Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372604Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372603Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372602Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372601Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372600Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372599Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372598Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372597Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372596Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372595Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372594Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372593Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372592Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.200{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372591Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372590Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372589Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372588Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA07F5)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320F02225)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000372587Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372586Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372585Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372584Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.169{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372583Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.168{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372582Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.168{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372581Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.168{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000372580Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.168{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000372579Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.117{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13fd87|C:\Windows\System32\SHELL32.dll+13f208|C:\Windows\System32\SHELL32.dll+13ee0b|C:\Windows\System32\SHELL32.dll+13ef77|C:\Windows\System32\SHELL32.dll+13eefa|C:\Windows\System32\COMDLG32.dll+10e08 10341000x8000000000000000372578Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.117{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13fd87|C:\Windows\System32\SHELL32.dll+13f208|C:\Windows\System32\SHELL32.dll+13ee0b|C:\Windows\System32\SHELL32.dll+13ef77|C:\Windows\System32\SHELL32.dll+13eefa|C:\Windows\System32\COMDLG32.dll+10e08 10341000x8000000000000000372577Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.117{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13fd87|C:\Windows\System32\SHELL32.dll+13f208 10341000x8000000000000000372576Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.117{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13fd87|C:\Windows\System32\SHELL32.dll+13f208|C:\Windows\System32\SHELL32.dll+13ee0b 10341000x8000000000000000372575Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.084{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+ff9a3|C:\Windows\System32\SHELL32.dll+ffda4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000372574Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.084{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+ff9a3|C:\Windows\System32\SHELL32.dll+ffda4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000372573Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.084{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+ff9a3|C:\Windows\System32\SHELL32.dll+ffda4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000372572Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:08.084{27B459FE-5CDA-619F-E300-000000000F02}22605808C:\Program Files\Notepad++\notepad++.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+ff9a3|C:\Windows\System32\SHELL32.dll+ffda4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 354300x8000000000000000372657Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:07.142{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000372656Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6179-619F-AA01-000000000F02}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372655Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372654Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372653Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372652Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6179-619F-AA01-000000000F02}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372651Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372650Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6179-619F-AA01-000000000F02}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372649Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.730{27B459FE-6179-619F-AA01-000000000F02}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372648Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.727{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B73CA39FF80311C7DE64DC68C162072,SHA256=7D0D29DBC61DC619D4015B9B280335F897B1891E0CC3231073079B9CCE780332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372647Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.496{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9445D2B842D3683F9FCDFB4C92CA81,SHA256=DDB4849EB306D8DF4BD9ABF3ABD87D458447B9C0F971F731B04E363CFBDF5C8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325063Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:07.805{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50084-false10.0.1.12-8000- 23542300x8000000000000000325062Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:09.009{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6123C579A0FD4049F8AA734A9B0FE0D9,SHA256=5268666FB149A3A63DD061E8CC26767DAEAB3C9022CD72D15C64B011215CC051,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372646Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.380{27B459FE-6179-619F-A901-000000000F02}15243680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372645Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.196{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-6179-619F-A901-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372644Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.196{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372643Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.196{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372642Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.196{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372641Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.196{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372640Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.196{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-6179-619F-A901-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372639Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.196{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-6179-619F-A901-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372638Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.197{27B459FE-6179-619F-A901-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372668Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.746{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F26467919AEBE07C39D04409FEEB7D9D,SHA256=B4FB1FB8AD9EF30E47404EC6289D179AED9F06AC5A84646DEBC9880EAE08258A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372667Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.514{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3AE02C1E8AA13A7D7DFA9487BD025B,SHA256=3AA6A094789D980E97EA75A3553559C7A8C401B26E3D94A24C9A8D8F06E2D699,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325065Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:09.043{99D2EDAA-5AC0-619F-0F00-000000001002}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.26.29.84-7842-false10.0.1.15win-host-61.attackrange.local3389ms-wbt-server 23542300x8000000000000000325064Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:10.040{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137656F1987C294930C365013D4E77E4,SHA256=B059F5365C09E87846C925705CA65C96F285F1109179C89294B3C51019990783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372666Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.483{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\saved-telemetry-pings\950ad000-d8d3-4977-b6b8-2f8aa7ca55cfMD5=1B9F770B98A85AC6D33DB609476CC8D0,SHA256=23ED9A39597597697BCCE4CD78FB2BCB64844FD6946F6B13B9455B043099ACBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372665Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.467{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\saved-telemetry-pings\2ea4ef6d-2614-4489-928e-ac48767e0b2eMD5=14AC4FEBD866CC2CC4235CE9D11DFDDC,SHA256=97AE698C19A6F0DB9332BC5C1EF9E71D57619814EA09B069C55D5E8275CD5EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372664Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.417{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\saved-telemetry-pings\93289204-2e1c-4a02-9e28-909ea7f14273MD5=F6C74B0290A00BCD0A8353731393D67C,SHA256=7656558E4CD3F5DF2F7C05218F5794B56FED70386C481CD3D089DC6E2239A6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372663Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.383{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\uninstall_ping_308046B0AF4A39CB_e62a436b-3441-47ec-b985-f53859f5ff20.jsonMD5=515A781FD2D4C73D1816D1E85CAB7BE7,SHA256=985725BFF40E50460F465576D33FDF04F37E6B73B08AE354145218836FEC6D2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372662Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.315{27B459FE-6179-619F-AA01-000000000F02}28561940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372661Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.270{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\session-state.jsonMD5=98680190F6184BC8F1E6322CA7DE82A5,SHA256=8D63C30156ADB05762827F1E39F662A7CDAB953C7E025A6BD03335A383E8251E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372660Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.228{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372659Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.227{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372658Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:10.226{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372685Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.984{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-617B-619F-AB01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372684Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.984{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372683Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.984{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372682Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.984{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372681Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.984{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372680Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.984{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-617B-619F-AB01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372679Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.984{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-617B-619F-AB01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372678Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.985{27B459FE-617B-619F-AB01-000000000F02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372677Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.530{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E229E84C937D8F8160616677FF1637CD,SHA256=511EECE7055468F78DE8953DAE8A3271F4734A958EE8D1A700A65270E5045672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325066Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:11.056{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C69D2F0E5CD099B026B82CDA849605A,SHA256=BEB3F3A2AEF995D1C313AA0654AF489DCA06C81BACB39C8BE2539D25E6835A6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372676Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.266{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59844- 23542300x8000000000000000372675Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.383{27B459FE-5CDA-619F-E300-000000000F02}2260ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-11-25_101158MD5=829DDEE5D5089067D0811B45D136E891,SHA256=776F4BE2DF661305CAC056B414465814F2B41C4C29A5F52FD417161829992F13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000372674Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.368{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.bat2021-11-25 10:12:11.299 10341000x8000000000000000372673Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.315{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372672Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.315{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372671Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.315{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000372670Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:11.299{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.bat2021-11-25 10:12:11.299 354300x8000000000000000372669Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:09.205{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local55671- 23542300x8000000000000000372686Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:12.546{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF52C9A2C9AC3D3BA61BA1C5AE26433,SHA256=052BEDEC8B84C4E897BF55C21D03FF2AB8DD8CE3232F3B8407DE742F0914D698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325067Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:12.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CB22B2C4314A79F94F4C2769437C99,SHA256=2A461E9EA3DC77F6D4F5680CC4676947D370B8D431B8DD6E6085161AE1BD6C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372688Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:13.563{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674E76D3AA3180136BB895C3BE513136,SHA256=773C54BB0A38AF45951D0DAE6E4F3E7BDAC5B2D95002C672BB8E006F8E200C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325069Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:13.779{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-027MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325068Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:13.071{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C180D3A72CC15B23378AE343301790EC,SHA256=2BC69332C0D1AFDD49BC29CA92A82690B502006697DB98FB181B08770FAD7D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372687Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:13.014{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DA3A0B4F7B36705BAC5D69C0322F746,SHA256=E080C32810F1C92EBDCF09F40E51AFC4BFA1F42C9701C123103A6C78652A2F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372690Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:14.845{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372689Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:14.583{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D04BF8251B62EE8D7A18543BEAFF79C,SHA256=C03098C8D0B81ECEAB465872FD993D12F82C8177CE4E20235B83FCBD94A798B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325071Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:14.790{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325070Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:14.086{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB14C9E2325173D7AF5FB18896B549C,SHA256=1BE8C7ADBC6ADC37AFF176EAB92A27CBAB77902B6CBC5147CEE9C0A3D5C72F47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372728Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.967{27B459FE-617F-619F-AD01-000000000F02}52042704C:\Windows\system32\conhost.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000372727Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:13.854{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000372726Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:13.186{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000372725Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.829{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372724Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.829{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372723Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.829{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372722Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.829{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372721Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.829{27B459FE-5C01-619F-A300-000000000F02}13442476C:\Windows\system32\csrss.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372720Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.829{27B459FE-617F-619F-AC01-000000000F02}51525908C:\Windows\system32\cmd.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372719Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.837{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell Add-MpPreference -ExclusionPath C:\Temp -ForceC:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 10341000x8000000000000000372718Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.798{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372717Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.798{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372716Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.798{27B459FE-5C05-619F-B200-000000000F02}47484780C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372715Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.767{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372714Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.767{27B459FE-5C04-619F-AD00-000000000F02}43964592C:\Windows\System32\taskhostw.exe{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372713Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484828C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372712Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484828C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372711Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484828C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372710Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484828C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372709Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372708Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372707Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372706Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.744{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372705Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.729{27B459FE-5AC5-619F-1600-000000000F02}12881984C:\Windows\System32\svchost.exe{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372704Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.729{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372703Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.713{27B459FE-617F-619F-AD01-000000000F02}52042704C:\Windows\system32\conhost.exe{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372702Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.713{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-617F-619F-AD01-000000000F02}5204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000372701Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.localInvDBSetValue2021-11-25 10:12:15.698{27B459FE-5AC4-619F-1000-000000000F02}380C:\Windows\System32\svchost.exeHKU\S-1-5-21-3499523948-2023901041-105020508-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\1.batBinary Data 10341000x8000000000000000372700Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5AC4-619F-1000-000000000F02}3801140C:\Windows\System32\svchost.exe{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372699Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5AC4-619F-1000-000000000F02}3801140C:\Windows\System32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372698Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372697Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372696Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372695Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372694Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5C01-619F-A300-000000000F02}13442476C:\Windows\system32\csrss.exe{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372693Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.698{27B459FE-5C05-619F-B200-000000000F02}4748352C:\Windows\Explorer.EXE{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372692Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.699{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" "C:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000372691Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:15.598{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD946D0B6B6397D6EA38A2F5F772FECF,SHA256=5372BD56AC4C86DAB8609BD0E39D18520921089AABEF251336AC9670BDF5DAE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325073Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:13.804{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50085-false10.0.1.12-8000- 23542300x8000000000000000325072Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:15.115{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9825D8FD8E86934E1129D5A3D265603C,SHA256=7AB46FA789F5075D06641D2403420877062A4D35A7BDA225BAE5B8E9B1C1D0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372743Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.814{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41C4B87E773E67A49167D4EC6E250CC3,SHA256=3EB62D032A896A87D8B220CD43147761368DE1782751073F9DCE21F8B84724F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372742Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.794{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3761C58D236F90E930B93C23D5EE22E9,SHA256=9F36E527D8BA5585ADB85163A2E5BCB79AC78E5D315BAB8F342B5DB139A12EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372741Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.764{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D719363B549A1C7E6366A78E3948B89,SHA256=7DD9713E1AD9B0A4701B0DA3686F6EAF9EDBF23CDDA90A696146C8340FCFAEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372740Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.712{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B09AE7E6B48ADD2404A20AE8420E136A,SHA256=F25E2222DB2C61A4E2D89FB188B2C3C193B882EB8D0BD170591B66AB43359C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372739Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.708{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=77016EC44F3A294745F3D05F02513421,SHA256=DEB0D279A353AFBF643883F42F2D0FFD03B9599ACE979B5BD6756278A8165B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372738Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.661{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB814A920EE22CFBA8CC6D48599CF212,SHA256=B1CDEC1C8A865EDB1E9E28226C47006C316AD1433F31813A5ABDE78C3CF3104F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325074Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:16.133{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C628F844B32744409E77AF98125D02,SHA256=EB2AAFD15B20D2B0FEE30EB94766B8FABF772BE89522AEE9B3C2E742DE35EEDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372737Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.430{27B459FE-5AC5-619F-1600-000000000F02}12881984C:\Windows\System32\svchost.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372736Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.430{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372735Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.377{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372734Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.377{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000372733Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:12:16.299{27B459FE-617F-619F-AE01-000000000F02}6008\PSHost.132823087358375094.6008.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000372732Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.282{27B459FE-617F-619F-AE01-000000000F02}6008ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4vsbganp.xce.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372731Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.230{27B459FE-617F-619F-AE01-000000000F02}6008ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_upz0fixb.rr3.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000372730Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.130{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_upz0fixb.rr3.ps12021-11-25 10:12:16.130 10341000x8000000000000000372729Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:16.067{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-617F-619F-AE01-000000000F02}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372766Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.866{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0D1ED6E3FE02D31FDC7DB3810EFDC50A,SHA256=107E4617F6B0CFC3127A199C3C1E8EDE3DA10D5E837D391208B3A0C77F958B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372765Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.839{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ECE76C0C0E7E6DEB151C189BB56FEB6F,SHA256=147F9A535D903C701FCDFA581A00F2BF93D02F8BE33F376DFF35066534124F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372764Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.748{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9F841F17DA7A904755DBA054FD1B6A8D,SHA256=ECA751DDAE9FC9A99FC817311EDEED66EA8F19DAE0F348B2C0099BE14D7E1838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372763Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.663{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2522234CEAE4F9782BA4A9B100059E19,SHA256=2D555E348F781AE4649330CCEC9EAE65A8ED5FD803CAD3D6045673173E183FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325075Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:17.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8057AA340C8209558A0DA50B2F38A2,SHA256=974C15B6A883BF4FD569A9E94C3C626296A8B73EBAE81B008B87ADB9F53C788F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372762Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.431{27B459FE-5AC5-619F-1600-000000000F02}12881984C:\Windows\System32\svchost.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372761Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.431{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372760Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.382{27B459FE-5AC2-619F-0B00-000000000F02}6402760C:\Windows\system32\lsass.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372759Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.382{27B459FE-5AC2-619F-0B00-000000000F02}6402760C:\Windows\system32\lsass.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000372758Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:12:17.331{27B459FE-6181-619F-AF01-000000000F02}6268\PSHost.132823087371743896.6268.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000372757Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.315{27B459FE-6181-619F-AF01-000000000F02}6268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ng3ilkfj.wpv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372756Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.315{27B459FE-6181-619F-AF01-000000000F02}6268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yubjtnds.et4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000372755Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.284{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yubjtnds.et4.ps12021-11-25 10:12:17.284 10341000x8000000000000000372754Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.247{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372753Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.182{27B459FE-617F-619F-AD01-000000000F02}52042704C:\Windows\system32\conhost.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372752Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.162{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372751Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.162{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372750Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.162{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372749Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.162{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372748Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.162{27B459FE-5C01-619F-A300-000000000F02}13445396C:\Windows\system32\csrss.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372747Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.162{27B459FE-617F-619F-AC01-000000000F02}51525908C:\Windows\system32\cmd.exe{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372746Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.174{27B459FE-6181-619F-AF01-000000000F02}6268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell Add-MpPreference -ExclusionProcess C:\Temp\evil.msi -ForceC:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x8000000000000000372745Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.134{27B459FE-617F-619F-AE01-000000000F02}6008ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372744Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:17.115{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C3261877F72ECCE0225F06993BADD2C,SHA256=0AD25E0637DFC9A8C86F6B397CDF8D7F87021DF24F5AA426E8C534A72B46E92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372787Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.782{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=442B78F129877A90F276DA7AAE45642F,SHA256=D8D708EEE186A142BA8AB4A039FF9AB3F0C3552A92AB2873F65EE30A3CF821AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372786Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.696{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935A09D3BD71BF4AD1B11DD2A0A3B792,SHA256=95EDD1395772E234CF823AA459DDFB126816C3D428BBCA7E9FE641069D0B9A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325076Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:18.149{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93441D74266C43064ACCED475C1ED22E,SHA256=91F4281699FABC4F3F02882845DABE15177E4DE43915B25E1EB10B7E659A242A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372785Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.612{27B459FE-5AC5-619F-1600-000000000F02}12881984C:\Windows\System32\svchost.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372784Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.612{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372783Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.551{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372782Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.551{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000372781Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:12:18.496{27B459FE-6182-619F-B001-000000000F02}6428\PSHost.132823087382825906.6428.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000372780Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.481{27B459FE-6182-619F-B001-000000000F02}6428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_oq4yfsec.wdj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372779Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.481{27B459FE-6182-619F-B001-000000000F02}6428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bhd1ieif.2tg.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000372778Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.410{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bhd1ieif.2tg.ps12021-11-25 10:12:18.410 10341000x8000000000000000372777Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.379{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372776Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.281{27B459FE-617F-619F-AD01-000000000F02}52042704C:\Windows\system32\conhost.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372775Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.281{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372774Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.281{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372773Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.281{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372772Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.281{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372771Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.281{27B459FE-5C01-619F-A300-000000000F02}13445396C:\Windows\system32\csrss.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372770Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.281{27B459FE-617F-619F-AC01-000000000F02}51525908C:\Windows\system32\cmd.exe{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372769Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.282{27B459FE-6182-619F-B001-000000000F02}6428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell Add-MpPreference -ExclusionExtension ".exe" -ForceC:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x8000000000000000372768Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.227{27B459FE-6181-619F-AF01-000000000F02}6268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372767Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:18.211{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F515E42E3DA92746131CA369E97B5216,SHA256=5500B0B34CE7C68731ACE51571EB3BC4C4A82D4E6C26323764CAFB10A3C28AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372812Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.963{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6F9D4DA2486439D647AF3486CF4946F,SHA256=6C1B679F76197B97058D740C91AA50AD0A3639EAB24A8FA6170E9A696E8DE8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372811Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.789{27B459FE-6183-619F-B101-000000000F02}6588ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372810Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.731{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C443FD36928F44670E488F2964C281,SHA256=75CA60BA493986E9285227DEF40E259FBAE627D6D9D35AE94DD150FACE3A96B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325077Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:19.164{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D31445B3AFC60154215BE3DDD91C52D,SHA256=DFCE5650CE8B4160A4279A2FD3F9B6D5A136AA384FA785AAD590474A7C6533D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372809Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.628{27B459FE-5AC5-619F-1600-000000000F02}12881984C:\Windows\System32\svchost.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372808Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.628{27B459FE-5AC5-619F-1600-000000000F02}12881320C:\Windows\System32\svchost.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372807Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.543{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372806Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.543{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000372805Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-CreatePipe2021-11-25 10:12:19.505{27B459FE-6183-619F-B101-000000000F02}6588\PSHost.132823087393691275.6588.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000372804Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.490{27B459FE-6183-619F-B101-000000000F02}6588ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fqgaqiye.bff.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372803Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.490{27B459FE-6183-619F-B101-000000000F02}6588ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_p35qkyqm.xrz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000372802Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.443{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_p35qkyqm.xrz.ps12021-11-25 10:12:19.443 10341000x8000000000000000372801Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.425{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372800Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.374{27B459FE-617F-619F-AD01-000000000F02}52042704C:\Windows\system32\conhost.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372799Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.359{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372798Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.359{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372797Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.359{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372796Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.359{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372795Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.359{27B459FE-5C01-619F-A300-000000000F02}13443148C:\Windows\system32\csrss.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372794Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.359{27B459FE-617F-619F-AC01-000000000F02}51525908C:\Windows\system32\cmd.exe{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372793Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.369{27B459FE-6183-619F-B101-000000000F02}6588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell Set-MpPreference -ExclusionPath "C:\" -ForceC:\Temp\ATTACKRANGE\Administrator{27B459FE-5C03-619F-CE49-0A0000000000}0xa49ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{27B459FE-617F-619F-AC01-000000000F02}5152C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x8000000000000000372792Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.327{27B459FE-6182-619F-B001-000000000F02}6428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372791Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.290{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C63F00712560495CB72D1D388E0F1DF5,SHA256=1D230E3AA658535B0C39F094703B69864343A9C50AF3FE63883C5BA91D31BCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372790Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.039{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A929FCCBC6B80DB209D3840A795E09D,SHA256=130BC0644611054E017B22B19C10F019409D5EA7460345A5E70BEF9FA5473EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372789Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.037{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E7C7B74373FB4F64C97B264A195E4A5,SHA256=5D8ABA2153FA15859FAAB9EAE86C1AD5F521B6458052D7716B3ACEF0CEEA9A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372788Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.026{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABDD3BF23B9A59879AF10584DF5334D3,SHA256=8D5BA79284BBF56E21939E59E11BD482766710D087BB250DDDD91ABE4B0A18B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372814Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:20.737{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924FE30DE765F9A3486F4FE41C90BED3,SHA256=8D4AF9E29560DBBECA09072FA4288BCEE9260EFF2EADD4A53722F172B44AFF17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325078Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:20.180{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E528A4FEF0BCC133297C48A6BCC0EFB1,SHA256=13CF0623AD0BF1F08A350690444DED5D7BF92AB12E2251EEF3C5009DE075AAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372813Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:20.369{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=741DEEB783A9CD132D6448BA4097AE26,SHA256=E30AB12A4AEC8F479EA1D10C8EEB3E219FA111A77A5025C01603EA72E5CCC6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372815Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:21.752{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEAAB3F6A9A2C8168CB6FAE3AAD010B,SHA256=5F1A7BB875724BD11287EDEBBE8008CEB50519F58ABDFA76EFD927383CA2E034,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325080Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:19.681{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50086-false10.0.1.12-8000- 23542300x8000000000000000325079Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:21.180{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DAE79DDB82893E066C919ED7D27391,SHA256=788148D5C4F2CF17D3ABC5FD5B0B722401E4DBDD3873759082C325108C2D0DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372817Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:22.766{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1D31AA320B27FB1B184E9DCCCFE7E6,SHA256=1CB2BF98042DD014080264CE4DACBBDC8FADEE52EAF55E06E2016D04837137F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325081Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:22.242{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60B7B1236C7AEA9701E0A623E8A7A90,SHA256=6A02AEB5D8AF4F557E42583940733C3D32C74F38F3C24995D9D262F8FA687E5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372816Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:19.135{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372818Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:23.769{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A79622F5F813AF8BD65EBBDEB4A8FEE,SHA256=E0E99DDDED853B0F6CB2F4852B8D280294A798E4BB67E430935C1D2C20011F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325082Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:23.242{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF4FFC60ED0A98120B59836EB5D20E7,SHA256=AA7183723EFA71FA11EE1A5F03DFFC5598FD84EC46E11C118238187FB5E368C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372819Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:24.783{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414EC87BE43A9A914E92CE4DC0489CF8,SHA256=040F9B31274AEDA1B401BA7DA4905F806EA65A6EA22D8E10C66241C3B297816A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325083Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:24.257{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F50F0A58F31601F9B6D5ECCA52AD53,SHA256=B780ECB40C6E269EAB5E52740438EBFDD852B9E938EA67A24B23ADE145119A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372821Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:25.951{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=27908D5FC37B40CD82B36BC60C375C9D,SHA256=4F1F01D8CC58E2845A7C904B5ED454AFC1CC844C65EF9A639009AC815C19832A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372820Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:25.798{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEF72C9D18E502615BDBDBED94F7533,SHA256=D55901063B55AAB95560E9FBFBD1378C9FC6E66BD319903AC7345F28DC21159A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325084Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:25.258{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945AEADF18EF6B0C5A17C7B8F9782D24,SHA256=54AB5A9DB1A51458B92E6D981C33BF86231A46BD76275D013F1F274669FEB0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372822Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:26.831{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1A932024D0A510C241874F10CCA0A8,SHA256=0ED09403D66BC937663E350DA7406BD154A3144D785067B8263D24103BE56296,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325086Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:24.884{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50087-false10.0.1.12-8000- 23542300x8000000000000000325085Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:26.273{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1784DD72DDF8994B7A0271EB93FAE3D,SHA256=7C64A07B7875F613EF8CC3F516F34B3549A584D836D3556133D26F6E5F98255C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372824Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:27.882{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7F0FC413359D93EB0B6AF614BAA016,SHA256=AE6140A729B69085CFFBADDB5AC37B2A251A424F8576D3D173FF30C3509F9FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325087Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:27.304{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB8930A75E6911C738BF9417B713C20,SHA256=4A2359729E07C5EBE65743B468F4E5AE9AC2BB2F5484EE346C178A0FF7330573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372823Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:24.238{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372825Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:28.897{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8197664E696BE38DEBFE57D568FBEB31,SHA256=30A52DFBE6B9EB6907124B894FE8F19291C187A7ABDFBA71D155A59302B84C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325088Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:28.335{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F560985A6FA49671104467F2D863A2E4,SHA256=2E64D6055281A813C82E855A28C2BF4C60961FEA725F7B0AC1358074921FD4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372826Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:29.931{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA340F35CA1DFDC9F2F64E538C48EDC,SHA256=610AB1A25C2391B467AAE3BCF929C19613DA1B2F88C3F5D4CA42300D99EED586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325090Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:29.366{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1F6906E78F3E6E2E136A554EE0952B22,SHA256=D98CFC6833CBE03B8B58544A28A355763F32C34FD85E4B4EB507D42D7C8AEA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325089Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:29.335{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA224C7C9D573FFA1C537CDCA91A1E89,SHA256=B11F4D1A2273D2B52DF643305520E4AB27E85C66839248B0DB2967CB26605648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372827Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:30.949{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B871AE9682814CA62CA5309F53C9748,SHA256=B32184C948E199C9E488F487401E143525D61BB96FEDA28E9D32E32A41F7C639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325092Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:30.351{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325091Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:30.335{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B160200E2FE2E4B72FFEFF3A9F2239,SHA256=9F1598D71BFBE1CE128A54E26EA122E9014E0FAFCE2C733304F9D15D316EF9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372828Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:31.964{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578C6A6728F9B521640969979BFDCDF1,SHA256=A7E6CF2D75A86DC892C7CAF596192AFFA6BF6284DBEF3CD32AD39F49269B19D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325093Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:31.366{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AB107903AE344F110442A67E351939,SHA256=F2F6CD895CCD1706CD6E9FB4659CF6657B81E4291C1B80A359BD010FA8798627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372830Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:32.964{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603457D349521C99540A86F0F31B422D,SHA256=F7AF03E30A75C45C57A99268FBE5943897E60329BF9BFC00DB6BDFA87C9E5255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325095Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:32.382{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D236E0AE1C4EA8C2B861AE7BA69BD6,SHA256=FA723E1D90A196DE7A48DB76DF68796F6B1A28CBDBA6B4BF017DB87BE329B03B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372829Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:30.220{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000325094Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:29.961{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50088-false10.0.1.12-8089- 23542300x8000000000000000325097Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:33.382{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB6EE381B09B71EF986FF05873E3207,SHA256=E3938707B441004CAC6AB0EAC452C557AECA945DD3F00070970656F3D3795B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372831Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:33.914{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-027MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325096Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:30.696{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50089-false10.0.1.12-8000- 23542300x8000000000000000325098Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:34.397{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C53A522EF32092087970A4B6C2D8551,SHA256=C8B4611DE8831BE323E375225C645514E1835676D55E9ABD54268ABB684B46A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372834Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:34.927{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372833Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:34.480{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7AF8F0C99194743BF07378B36EBD459D,SHA256=D7B8E8F01750B132B28CF4812B8C44DD0446792EB259AB9F2C5B9E53FDF22488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372832Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:33.995{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52434BEA47A9B2A10A5E3A22E87FCFF6,SHA256=DAFA8FA45B50CCC6078451A0DA6A71C7DA3FB386386BEDACCCC08874FC02D7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325099Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:35.460{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC46B8EBEF28FA6E10C8F6FFA435932,SHA256=77498E07292DE2ED5F5B02021F0A2F1BBE3F5B4B93553500F0A7B67F31021DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372835Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:35.026{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D9D53C846D07411804EDB99D9311B6,SHA256=60D344571FBE249BFD32D3D2C88819C30115DCEC36EF6618C3390D280FE4E101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325100Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:36.460{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F802AC9F405D89D499738F04A2F791A0,SHA256=D9183A1A3B6F418C971CFBE857CF596ACD4CB68A85DF91FF02F1F69300405078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372836Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:36.048{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E4691E4ACFA9A15928EC2C0E3CDAA4,SHA256=AE32B6222E5596A79636D0B2A1569BFE2B1FC825A1C118303D695F6C08B265DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325101Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:37.506{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540CE6439A73A1F2A96F584533659B50,SHA256=BB1D02FB2126DDA48BF81A3DFEB6976EE467E8947E8730C367B61D9D2F3266F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372837Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:37.049{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039386BD33E83BA6232C5975AAD097F4,SHA256=BFDD39FEA103BF81F95D441F9ABE8226EC2FD87D599F28D56EF2215F03AA5851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325102Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:38.522{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEC86643A754B604EAC4D76B9BF52C9,SHA256=4D0232709BCAB814EA1BC754A5AACD13CD4BC83A34DC2747D84486C7242CA051,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372839Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:36.173{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372838Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:38.094{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA2192C3FE4A252AB027FA2C85F85B6,SHA256=7E29700A491BAEF34ADA6B343DFD26268BC46454CC513D8C2C9289A80427C1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325104Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:39.522{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3830C34DE3F12BB45710FE24A5613308,SHA256=077AE1B34E64E69FE0732207F05F4DF83165BAE2525F2A2F6B54156E4F109727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372840Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:39.116{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF908EA9C78B144298794177DE034FB,SHA256=95D85EED9611A77289540BDE88FEBE91367B09119AF0DD500601D4D2A151957E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325103Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:36.743{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50090-false10.0.1.12-8000- 23542300x8000000000000000325105Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:40.527{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3246A57358837447E5D747FADC8CAE,SHA256=F66BB00FD8B4EA9FB4585A48728271884B24B842568F9D11D550A8B8C1C5E9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372842Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:40.369{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=A00989880B676C5DAFB36778AC1637FD,SHA256=49C8105353CCE4DAA475E3BFA0CA3362814F260503862828F4EB2E7014673510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372841Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:40.133{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E601D846DDAD4A9EC44E2CF0B0133D5E,SHA256=D30BDA4FF1F6E8BD3908F3D1A1F18469FF5EB528A3F4347CB8B04C218AD90CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325106Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:41.526{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0794AF316E8BF1796FEFA993C8082C,SHA256=232CE952C785580EB4E3BE89D91AACB7F7E7B3D93CC13C8A46F2E50C379A123D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372843Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:41.153{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74D6CF0D901F8B78D8BE1CC80C070F8,SHA256=258751CF2EA8B62A9D65FA9D79D2240495E7E74A349CD4AB74590DBC7E9548F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325107Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:42.573{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE493AB56A0AC6A4FCE8BCA80468296,SHA256=ADA06043142361D7CA7724E83D9CE0673287C9B42D837D38E39A078AD8FC15F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372844Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:42.183{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AB30F6077FB2ACBA81290EA9F72FC7,SHA256=1EA7339B540BCA68FFE20FAAF2061004F1CD0B8DE20CA70DBDEFAC5B9DF65838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325121Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.605{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C984FDBCC94D9E62C40BC49F2E2BA8BA,SHA256=4D21F9CD11FAADE10A4AB6140A8E5C532C3F63DC80D4B4204A4E2785E925FB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372845Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:43.198{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5994A3CF9CF206D0BD91EC28E55939DE,SHA256=022622F5F4BCBA87E3CF185F6447926CAB08D1C820842FB4BA0EF21489F63B93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325120Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-619B-619F-6001-000000001002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325119Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325118Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325117Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325116Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325115Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325114Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325113Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325112Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325111Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325110Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-619B-619F-6001-000000001002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325109Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.495{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-619B-619F-6001-000000001002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325108Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:43.496{99D2EDAA-619B-619F-6001-000000001002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000325138Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.682{99D2EDAA-619C-619F-6101-000000001002}7123676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000325137Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.620{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192F68B7FD2D126A779946CD40D8C646,SHA256=53DBF9870F28C373A41ED5D32DFC684A7A590690CD92A7A10A1165358B4B67B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372846Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:44.215{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93CBA1AA3D74AB9B39554CE133A59A6,SHA256=D6E9037F6DB233154AAF92A1F32D602AEA7C62D4453C8F622C7AC2F9AAF45576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325136Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.526{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EC3AAA8E7DAE7E7710C75A1848F3D7C,SHA256=EA071C5D0B40A4419C9B36EB9E7CF2BF20FB9A9E841768A7E03B5291BE6FA86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325135Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.526{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1565456805A2AE6750370F11C3C20101,SHA256=6BAB7E8ACFD66CEBD51AF316B3DC3B2386558409B22E4CC1160F8B42B5BA267B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325134Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-619C-619F-6101-000000001002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325133Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325132Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325131Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325130Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325129Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325128Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325127Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325126Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325125Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325124Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-619C-619F-6101-000000001002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325123Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.495{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-619C-619F-6101-000000001002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325122Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:44.496{99D2EDAA-619C-619F-6101-000000001002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000325153Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-619D-619F-6201-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325152Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325151Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325150Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325149Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325148Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325147Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325146Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325145Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325144Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325143Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-619D-619F-6201-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325142Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.745{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-619D-619F-6201-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325141Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.746{99D2EDAA-619D-619F-6201-000000001002}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325140Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:45.620{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEDD653E87B879ACA1AFCC6BA5943F9,SHA256=E41324A4690321F8974C0AFB9F60C5CF1F903D6CAF9BDE3CC9905CFF6DABDE54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372848Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:42.158{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372847Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:45.233{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF83DA2700A3AF994E51A43545EFEB97,SHA256=E115FF5A3B560D5ABC3891F3DA596150846B9B98907DA0B0E2410FA7BF49CBA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325139Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:42.779{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50091-false10.0.1.12-8000- 23542300x8000000000000000372849Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:46.414{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B39A3257309CA53531BB224030C0808,SHA256=41974589039494894E36FBFDBD3F96596713D01F9618A3AFB2D9DCF45D7C1C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325155Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:46.807{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EC3AAA8E7DAE7E7710C75A1848F3D7C,SHA256=EA071C5D0B40A4419C9B36EB9E7CF2BF20FB9A9E841768A7E03B5291BE6FA86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325154Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:46.620{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67F662B96C8782C66E4BAB6AFFE3AF9,SHA256=5705F0DC9A02CB8958D2E5E7FA456370851D62C5328080AB297597E3E2C6797B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372850Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:47.420{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDACC06005EE6498237370DF3400F315,SHA256=AA3303EF7C4E8E619A5282208F08FDF66B46F6D799711C9F59CEBB3212CE1845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325170Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.635{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A607702AF5C7CCAF6862B2AC3795BB,SHA256=80BF3A7683E0A1D7CFAA66C0C065767E44EB13639A6FE10B8671F5C8F38EF62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325169Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.276{99D2EDAA-619F-619F-6301-000000001002}31162544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325168Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-619F-619F-6301-000000001002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325167Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325166Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325165Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325164Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325163Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325162Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325161Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325160Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325159Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325158Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-619F-619F-6301-000000001002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325157Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.073{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-619F-619F-6301-000000001002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325156Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:47.075{99D2EDAA-619F-619F-6301-000000001002}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000325186Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.760{99D2EDAA-61A0-619F-6401-000000001002}16161612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000325185Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.636{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74254C8721715D1DC31C238EC73585EE,SHA256=3AAC727327C41CB4E38F299F0FD99586BAA54A79526FFCA5C55E78462FEE2208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372851Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:48.437{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD5F08695D44FA5D3E4944B248A6042,SHA256=9001F1F9199592B949B326E47AA2201CE72FB26F3D04650364911EF0220E0444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325184Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61A0-619F-6401-000000001002}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325183Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325182Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325181Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325180Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325179Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325178Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325177Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325176Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325175Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325174Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-61A0-619F-6401-000000001002}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325173Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.573{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61A0-619F-6401-000000001002}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325172Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.574{99D2EDAA-61A0-619F-6401-000000001002}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325171Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.135{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D42030CE0F15E0665C3450121944CF5,SHA256=3D415268DA77404CB47B4C55C22BA9D9674D8EBCAB50B93C5B38AE22B99504C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325202Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.682{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4248C8242DAD4CC553575BC069C577DA,SHA256=186F54E7B37E3FB2948DA4E7452305AA053F72198F54B74929A17E9242F9DEBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325201Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.651{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B41A09A3F394690E8851B790B496837,SHA256=2BFB1E2FF706ED4362AE2B54A1ED561E2C4CAC47E6E3C605ECFD20C75A6ED10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372853Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:47.263{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372852Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:49.456{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89CC71269BDE25FFC34A78555805BAF,SHA256=C5F61FC76D4F6CE53D0B171E0C36E87D636D74A0CBE567697C4FFE60DC2EF3A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325200Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.479{99D2EDAA-61A1-619F-6501-000000001002}23603172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325199Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61A1-619F-6501-000000001002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325198Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325197Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325196Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325195Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325194Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325193Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325192Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325191Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325190Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325189Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-61A1-619F-6501-000000001002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325188Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.323{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61A1-619F-6501-000000001002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325187Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:49.324{99D2EDAA-61A1-619F-6501-000000001002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325216Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.651{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51096DE061F73AC8A51B8819791F1AAD,SHA256=3A52F6A0D243AC3BAEA1FC596E33F77D456EBD9ED90479A14B3599A608358912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372854Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:50.490{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2C92220145C479DA783601024747CB,SHA256=BBA63CD9B91C8AA72B1FA7A0FC18B3BC31CB940EA7E40CD925CEB7DB34567C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325215Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61A2-619F-6601-000000001002}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325214Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325213Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325212Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325211Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325210Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325209Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325208Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325207Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325206Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325205Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-61A2-619F-6601-000000001002}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325204Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61A2-619F-6601-000000001002}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325203Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:50.542{99D2EDAA-61A2-619F-6601-000000001002}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372855Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:51.518{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179235FCAF940FF4E5374F1035E40A77,SHA256=DFA01C78D0B03EE10AAE42F28A230EE60C43B34743705C5752AEEBBBB149EEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325219Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:51.760{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFA7BCFC03AA2FC05B07B1AA888EB7B3,SHA256=7048946D92F0712A41997810E9D621E2A1099950B2DCB325D0F197D89DBD3C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325218Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:51.651{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1892E31C819C4AB2F948549C79F78DC,SHA256=11DAEAA8F9856271A16612A6AEE042F58E241BFEE8699E1D9A24E23B203D737D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325217Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:48.841{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50092-false10.0.1.12-8000- 23542300x8000000000000000372856Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:52.536{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67311B04E6FF461C32174A06D65C4C9D,SHA256=5E523E5674CECAEF0B59C9749809C47B43958BC31E875C11D0C79F4E86AF3D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325220Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:52.698{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866026597ED773314BAF3C476E5D7DA5,SHA256=AF6519B392288E5D48D06DBB5A1A0F3CD64353B0D4F6D0B395A0DDB6722A04E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325221Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:53.698{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8415460B947248A392EAD89BBAC00433,SHA256=1387AFD64D727D48796B851B9142DFA6D8CE60EA51E94C63BDAF1A8E2767CE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372857Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:53.554{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421C0D73B6FF4CA3F77DF1EC0B8DE1F0,SHA256=0E8BE213E97D732B2EF559659BFA95F8E7C6FF46462A64461F01CDBA46BDD9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325222Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:54.697{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AD40C3780C80A4EFDF3B30D6D25B15,SHA256=105D07BB5217D53D7900817B5186A8EA3106E6CB0C8BA29C82D225969787EBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372858Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:54.569{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE0BC7E2558F5C3480906D38D6D5977,SHA256=748D46C22A37AD874A720176B49810BCEE2C516D58FA4BA19CA7405CA245B727,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372860Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:53.110{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372859Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:55.570{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9C9A0F0AF0544567E004902EC6BF1,SHA256=69EB20AC08974435F54D117FA459DB77E3698A74FFBF066CFD209859D5CB4C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325223Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:55.744{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FC0675E310C25B22F6FD33C01AF2C9,SHA256=659EE405A2044258DFE871FCFE58BB35B38BBDD6863D78E1EBE6338D4324D7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372861Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:56.585{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487404CCBBF2D854E3924E228749FA15,SHA256=03944441AB28867B6BBEBA8D7DF50F4E0667FEC50951EC62D27256FD0C6A78BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325224Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:56.744{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7867B1A17A79F600BAC4B1A196E295,SHA256=6BCE01745CAB402C5363E13B14DB5ECD5F3A2CE97DD08464F5BAD55EBB00E82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325226Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:57.760{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760E1EF652F9728BCD9111305D5F9B73,SHA256=3E4EA9B7F64A40BDB4C10459CDCBF14D00710CC99028CFA92DC907707E444CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372862Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:57.615{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876E92A97B549E710A1DD5BC4C1712DC,SHA256=13B099BE19A89DF367579D1F8059F9BDA142E3C15F287859D3CEFA7A821E608B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325225Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:54.748{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50093-false10.0.1.12-8000- 23542300x8000000000000000325227Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:58.775{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD235123B791A017EB949C98A3FD30B,SHA256=491658F7B00D8924D1D8DEFF2EE0830245A2275DF81ED54E6B6112404A22411B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372863Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:58.632{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD36BCBD534B3EE43D864BCE543E7274,SHA256=E31093C04FED02FE3CF9647EC63DE5D77BFEDFE2BC5FF227D8E5CE21F83A777C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372864Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:59.653{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F659DC48E5E751648E7E0620A5E4BC3F,SHA256=C9B73067C291D766924872F4F7424B4AA6AE5C1D4620CD4E68AFBE6697603715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325228Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:59.795{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C84C823551D4B478292058E8CF0540,SHA256=0D6DBD7F9BE50CF0088E28E3CFFCE3CC1E3D3EB39C09F4D020F076BE37472E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372865Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:00.667{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C819B9D46C8688C9A728984615300D74,SHA256=D3EABFB26A2A49A257DB59088EBA05643D4EA1766E6B565B47DB4E7A5AE8531B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325229Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:00.795{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FD2FE052B1BF3F88C85422D305AE2C,SHA256=C5E447EA0094AD78ADE7B116AB40871C014124F99AD47860E46BEDE33172C008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325231Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:01.794{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C4FA6B87A4F96F35D08A98E619EC5F,SHA256=96A03DC246F8513BC157EE36D74B219B5674C88BCA161163A1EC5F3F044AC0D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372867Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:12:59.139{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372866Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:01.668{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FD9DF011F2925DA6F477E90F9D9448,SHA256=6C92CBAE0906F7D13735E0EB22C727825A771D86B3A291F07A2ED6FA8F0A6892,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325230Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:12:59.814{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50094-false10.0.1.12-8000- 23542300x8000000000000000325232Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:02.841{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15766FAA0DCBB8E15044128488FBDC7,SHA256=4CB6D9103F94376FEF3E25A5D3769B6CE803AE58CBD4CD2D96586B9214A28B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372868Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:02.714{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADD68C2E66E313D7A52E132EED30387,SHA256=8B0A18D6CBF00FCAEDACF1FB322562DE04A66338B3634C903FE8AFBF09B0AF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325233Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:03.888{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8503D235A66AE00BB9451F250581B5AA,SHA256=91E9DB9E7951545FEA9B0F158386B81ABCB8D85B6E665EBB7A4AA2DDC9F86C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372869Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:03.750{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA32328636394053EC82B03F49EB7CF7,SHA256=EAC69C6F98FE0ACA3D037570D7A255AB0D760F8CBE6510C98FE402BE2FD1246A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325234Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:04.888{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4867B49EEFB360552BF22D18F91CE61,SHA256=878228355B9600A4EA56747658BB73D4A3A818FA6BBF8FA4A0BED5108496DE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372880Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.771{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC5928E16B88BCD391C31F952EE2423,SHA256=22CC13BC5F841F9D6EBBCD0DD31BD93C846953B2CED7DE74B594F86E3AD0618F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372879Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.702{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D4837D1C8A868955EC058F56C10E2B,SHA256=A4DDA43141B08A9E8B5EDF29A31D4F5FECFE26B4A8DE90C3A7F49D65385D6AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372878Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.700{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D9220E720532E261F340F5C6654B0EC,SHA256=47AC986A201C7D20B0BD77994FE8BE3A7FC9227D5CF392B8D531F81DF259C2F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372877Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.466{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61B0-619F-B201-000000000F02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372876Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372875Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372874Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372873Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.466{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372872Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.466{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-61B0-619F-B201-000000000F02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372871Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.466{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61B0-619F-B201-000000000F02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372870Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.467{27B459FE-61B0-619F-B201-000000000F02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325235Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:05.904{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159C5A993C93AD5480BE5027309A6E2,SHA256=139BFF8E5FCA75C00FCFFD3BF2B34EF80324967E66630D8C6AB00157123D00CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372892Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.780{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42AD7FEA2C7B51CFB9EE570686692A9,SHA256=C2EBE3FF1731BA9F187283C6F860F50CC4268018A2C241174F80C5D00D9CD728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372891Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.649{27B459FE-61B1-619F-B301-000000000F02}63526336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372890Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.345{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61B1-619F-B301-000000000F02}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372889Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.345{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372888Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.345{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372887Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.345{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372886Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.345{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372885Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.345{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-61B1-619F-B301-000000000F02}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372884Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.345{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61B1-619F-B301-000000000F02}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372883Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:05.346{27B459FE-61B1-619F-B301-000000000F02}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000372882Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:02.706{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59035-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000372881Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:02.706{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local59035-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 23542300x8000000000000000325236Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:06.904{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1638899C4D8096C144EBEEC4ADF45CC6,SHA256=92E37935B01FAB6BFF50935221156F23740A0A9464A0200273373E17E85D2D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372902Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.785{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE80845AC4EA75F7375FF2D4247AF491,SHA256=C34554D0F30860BF39753503CCAEE4F000BF9815F2A0C7DC38990AB7DBAEC4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372901Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61B2-619F-B401-000000000F02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372900Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372899Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372898Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372897Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372896Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-61B2-619F-B401-000000000F02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372895Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61B2-619F-B401-000000000F02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372894Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.396{27B459FE-61B2-619F-B401-000000000F02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372893Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:06.364{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D4837D1C8A868955EC058F56C10E2B,SHA256=A4DDA43141B08A9E8B5EDF29A31D4F5FECFE26B4A8DE90C3A7F49D65385D6AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325239Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:07.904{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE313ADAA1F8A1A5694121E47E279668,SHA256=6630705FC7015A060ED2F2A18541321423814F240DFB51E6B9074458936F3476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372906Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:07.816{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35032A471DC15B5678026A005E841325,SHA256=072119F804C06401774A762B037F69A26D62771209E3F6525F3B09A0DA404D5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325238Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:05.768{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50095-false10.0.1.12-8000- 13241300x8000000000000000325237Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:07.450{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e5-0x0abb0dc0) 23542300x8000000000000000372905Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:07.447{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46C43D95E5D863172A8A852A09CA4C27,SHA256=1BB1D5F582776912C62415570493EC64132FD943E30A579A900182FEED8F449A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372904Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:07.385{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372903Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:04.222{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000325240Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:08.903{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC11EB02CA6AEF0EF600E69312935F68,SHA256=B521F6D3AEC61531A9A99327CE65E3865CE0A3FFAA87A29859E93CFDE0381F68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372916Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.915{27B459FE-61B4-619F-B501-000000000F02}64726444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372915Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.847{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB04B48E3163F69E13552E95606F73C,SHA256=9C2DEB58B2D31058820B3A61027FD4952622D6B61F30BE7778887F6FAECE56D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372914Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.547{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61B4-619F-B501-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372913Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.547{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372912Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.547{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372911Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.547{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372910Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.547{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372909Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.547{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-61B4-619F-B501-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372908Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.547{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61B4-619F-B501-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372907Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:08.548{27B459FE-61B4-619F-B501-000000000F02}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325241Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:09.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C28A11855B03B677D3C464A9685B198,SHA256=C285B446B946FEEE7BA97A3DEDB31234A720054EADB9796ACDF6B27AD1F0AF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372936Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.868{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7244E497EF089BF2519A4A77924EC6E,SHA256=1F4E0BF50A06E82ED15A174CF62C77897DCD914F6AA5223773CA5A84E59E7EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372935Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.830{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61B5-619F-B701-000000000F02}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372934Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.830{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372933Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.830{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372932Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.830{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372931Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.830{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372930Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.830{27B459FE-5AC1-619F-0500-000000000F02}416532C:\Windows\system32\csrss.exe{27B459FE-61B5-619F-B701-000000000F02}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372929Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.830{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61B5-619F-B701-000000000F02}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372928Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.831{27B459FE-61B5-619F-B701-000000000F02}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372927Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.599{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF9EB277E8E855F5A4009A9BDB7D2814,SHA256=010F7634CA728644A134A1F962AF3167D592A49C3510C7DD00AB522205E8DAC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372926Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.384{27B459FE-61B5-619F-B601-000000000F02}64686496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000372925Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:09.284{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e5-0x0bd2d211) 10341000x8000000000000000372924Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.166{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61B5-619F-B601-000000000F02}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372923Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.164{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372922Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.164{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372921Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.164{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372920Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.164{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372919Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.164{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-61B5-619F-B601-000000000F02}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372918Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.163{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61B5-619F-B601-000000000F02}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372917Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:09.163{27B459FE-61B5-619F-B601-000000000F02}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325242Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:10.935{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EEDB619146C245D801BB82FD834533,SHA256=711EAF26F71AD7C3906DA256DA3303CC08408B13EDB23437B6642378434E0B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372943Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.910{27B459FE-5C05-619F-B200-000000000F02}47484852C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA5CC7)|UNKNOWN(FFFFF08320EA0351)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320E9FFD6)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000372942Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.910{27B459FE-5C05-619F-B200-000000000F02}47484852C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800E5E65D08)|UNKNOWN(FFFFF08320EA5B48)|UNKNOWN(FFFFF08320EA5CC7)|UNKNOWN(FFFFF08320EA0351)|UNKNOWN(FFFFF08320EA1D1A)|UNKNOWN(FFFFF08320E9FFD6)|UNKNOWN(FFFFF800E5B7E103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372941Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.910{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1bdf41.TMPMD5=6E9FB401D8735D70ADA0D710BDBB0D1A,SHA256=427140CDE192E1C317636E118B8072FD9501657ABBFF2A5395F9B09B51A039A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372940Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.895{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+aab351|C:\Program Files\Mozilla Firefox\xul.dll+adfb73|C:\Program Files\Mozilla Firefox\xul.dll+adfd27|C:\Program Files\Mozilla Firefox\xul.dll+aab13f|C:\Program Files\Mozilla Firefox\xul.dll+b45806|C:\Program Files\Mozilla Firefox\xul.dll+399190|C:\Program Files\Mozilla Firefox\xul.dll+398da9|C:\Program Files\Mozilla Firefox\xul.dll+398c58|C:\Program Files\Mozilla Firefox\xul.dll+b5b60b|C:\Program Files\Mozilla Firefox\xul.dll+b543e2|C:\Program Files\Mozilla Firefox\xul.dll+b599b8|C:\Program Files\Mozilla Firefox\xul.dll+b5a14b|C:\Program Files\Mozilla Firefox\xul.dll+38aca1|C:\Program Files\Mozilla Firefox\xul.dll+b5af29|C:\Program Files\Mozilla Firefox\xul.dll+b5dee2|C:\Program Files\Mozilla Firefox\xul.dll+b5a946|C:\Program Files\Mozilla Firefox\xul.dll+38a467|C:\Program Files\Mozilla Firefox\xul.dll+b39e0f|C:\Program Files\Mozilla Firefox\xul.dll+b39016|C:\Program Files\Mozilla Firefox\xul.dll+b407bb 23542300x8000000000000000372939Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.879{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118C562CAB5E3315DE2C2969EACD0351,SHA256=7681ADDD780C74D7AC1053019343775D60A769F8D2B8680123470A19509E96B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372938Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.848{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E584137CC12E092E117CFDB69A9A405,SHA256=9FCDBF43AC1326FF01EC9574F944807FBFCB88ADE058903A8C1DFC10CBBEF95B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372937Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.110{27B459FE-61B5-619F-B701-000000000F02}65646456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372952Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.979{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61B7-619F-B801-000000000F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372951Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.979{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372950Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.979{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372949Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.979{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372948Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.979{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372947Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.979{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-61B7-619F-B801-000000000F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000372946Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.979{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61B7-619F-B801-000000000F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000372945Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.980{27B459FE-61B7-619F-B801-000000000F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000372944Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:11.929{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FECA5DCA9C94EA09395790AE222EF92,SHA256=B1F1A319969D37C1B92B021CB3D85A742DA9FE43C503BCDDC4339A0810BD9391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372954Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:12.994{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=871836B342181B684F582FAF710E502B,SHA256=FC8B8D2DAA6379222DC556CE77A2B9ACB077C805184CDA5876BF211C60F2CD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372953Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:12.947{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DD8C32684C8A83A9B323BA0DA888EC,SHA256=7DBA300AB014C85BA3EBCE84ECF9CDD3486793A18C7BB549CC7AE2A4AAD23AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325243Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:12.028{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEB0EDC80BBDA9FD195616262F97021,SHA256=1118404E9B4241EAE33D95BAFF008EC9CFD2191AC906A258993509CF8664196A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372956Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:13.949{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0278DB98306085A12AA6D53CB5CA05E,SHA256=3EF3DEC17BA27C0F1925BDBFBEBCDFDF5F4CCA6451E4DD738B838369090A7C61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325245Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:11.752{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50096-false10.0.1.12-8000- 23542300x8000000000000000325244Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:13.044{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E488ADE2F86BA1FA1CD1EA320E96120A,SHA256=A2B4619A7DB75B87DD09D4B348176AAD8F2BCB397453DC31496619CF9A65A19E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372955Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:10.118{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372958Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:14.979{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E6ACDB95C756AD2B54F74C2D28E039,SHA256=824C89F3BEDDC31D0C6A4CCD70B763E326DB80E8E94092458E1D112A7B0DF0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325246Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:14.044{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32069299EBBD84B1EB7860ACF59CF453,SHA256=5002F3B1A3483F4B5B12315FEF3149A312E73BCA0F7640EDA39FF547CC84EA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372957Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:14.864{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325248Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:15.313{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-028MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325247Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:15.076{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E3F2BA66F10F84E78A2CB522EF03A3,SHA256=0B1A3B8B39FFBB5C88EAC9C7CB1C97141BCB4F167DBB846ADDD7CC5F688D0C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372959Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:15.410{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=8554B49E526B333BBF721E8F8C58FD27,SHA256=32798565A7127A56A02C26B66AF4296B4AAB42B0D7A921E272B42B362DA11E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325250Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:16.327{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325249Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:16.092{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D849E74E669581B1BC7CDD5A13CE75A4,SHA256=0794565F8EA84CCA39FEB1EEF94B7CBA1D551F042F3655287546B3E609DB4330,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372961Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:13.872{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000372960Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:16.163{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A415A6FF72233B2F4D393251170AF86,SHA256=3038557522D5D640556B3DA899CF0C0F220EB6028504B5EFF3793F25CB98756F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372963Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:15.271{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372962Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:17.209{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4CCFCD1201459BB51C380575EF9D3E,SHA256=0EBD475DB341CF2D57C26B91AC42BDC653E33BB2A8143F3E5F3212D0EE1FE402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325251Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:17.095{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F2D9261C4E554E840771B8A57D8EFB,SHA256=22CAA92723C5696EC948C2896F8859F94F61C43A3634D299AB7855FAEE6AF894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372964Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:18.209{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EBE5B206C69AAB6201528F83947BED,SHA256=0686CF9E5FDAB2FC00F912FCE7A068EF287EBE982F66BB5D4F502B555D989963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325253Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:16.881{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50097-false10.0.1.12-8000- 23542300x8000000000000000325252Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:18.095{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0EC6D2B927582C820EA2CD4D8F02D7,SHA256=21C2E910E7C7691CC0CDEBAB39A064D00500670FF82CB6DFF5EFB0A1B0FBFB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372965Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:19.230{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7071AE3C128229B698274825F69F65,SHA256=BA8C1B5C495CEA221D6CB527FE982830952B0F1428A7132637EA132830C12F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325254Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:19.095{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998DA2AD8B4D5D2D526EF1BA18B8E134,SHA256=C76507770C88CC2A52EF9C406E79B062B8D08A041D3CE47835A7022860838AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325255Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:20.121{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8ED95782F614DE0B4410292FB6DCC06,SHA256=40E1FE47A7353C37A8B2F20B8B29820E948A4B7C9045BAECD11A023D68D9C9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372966Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:20.245{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4816136923799672B541A567B3B4A35,SHA256=9FA7869AD051A70257F133ABBC6B6339475E8E93CCAE793BCB7750190F4AB9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325256Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:21.152{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA91A406FBD416D5B2F0112A4EE15E2,SHA256=091478379DFB61424E2700A311CBA6ED7C0C1094CC21B176664F400B66B4C42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372967Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:21.260{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F95DC11E1DBCE5CA164BAE8CA27D946,SHA256=5274A93A9699C3459A68E1057BF82C923FE5D232B24BEEE8FF984B197B0E4BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372968Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:22.275{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6982FF5545B19BE1ADF4A3F3C03FA54,SHA256=767FCDDA4605FE4097BB61AB233950A9BDA661781FD3D68791242C50B31B1582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325257Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:22.184{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A37C486B5050AA4B32A8D5B55CD3D4,SHA256=9B1000E9712B012A7D097DF9E475B1E11C0D2E96401D441A6884B1DD735AB002,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372970Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:21.230{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000372969Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:23.290{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B20DAC03A4B3857930BBD3EAB0128F9,SHA256=F912E991C6E611CD881A1F3B8ADE04B847245016D7A10E9E9A6C10FCD484F74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325258Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:23.215{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3333A59E0E3DEB3B96A9B6B98330B45D,SHA256=1C26E88C58A24D10AD56C13EF9005ED97B091E775A027CDF67E24C0859428A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372971Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:24.306{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA74D99A8D10422E560C3FD344C6F11E,SHA256=2CBF7B7FF7E3FB3CBC6A0217CF44FCE90C97D36CDC4176D48557F0217CF277BC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000325260Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:24.277{99D2EDAA-5AC0-619F-1300-000000001002}1004C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e5-0x14c2a432) 23542300x8000000000000000325259Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:24.246{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9473EDF1A8A7BD6B035BFE25DF60B115,SHA256=4C7B7BCE76E7B8D638E6196D6C9B54BD790520D40A1C59CE15E448C29BBCBD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325262Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:25.277{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632CA3478988AC1832CB7679989ABE0D,SHA256=A59C7AB1A9EE1D55B17AC1441A56C675DD74FA9EF1B4A34FB04860C2DBC47362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372972Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:25.323{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566D50D7AD77E7537A9FD1B077357DA9,SHA256=E9CC8E0752F0421DC3655D38328765B50975DCA3BC0F93F751D555547B60A077,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325261Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:22.659{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50098-false10.0.1.12-8000- 10341000x8000000000000000372975Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:26.820{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372974Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:26.820{27B459FE-5AC4-619F-0D00-000000000F02}8964808C:\Windows\system32\svchost.exe{27B459FE-5EE6-619F-5101-000000000F02}5912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000372973Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:26.342{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17ACF79783954497FC4411F2E9DC53E,SHA256=B55AA8722316370642569FDC1CFC965665FFF57468E37E1DC9792CE2B0BF8F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325263Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:26.340{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EBEB81D621CB4B1B7744ABB10FC922,SHA256=4F730A12A5DDE9C973A7FAA40C8E6F0128910DCEB54489A01CC63EF680C57294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372976Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:27.345{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEC5FBDCDF814BC6D7C506817102BD4,SHA256=ED83252ABD760F4FB4289BB5E4B6BD8BC1448045D9139C435814301CFA69F5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325264Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:27.355{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E776DC1B9097CA1EC7E255E97F83EAB9,SHA256=5E0BA9FCC495838770DEBE3CFD6DECCF110CDB6DBA199113DAEBD4384D6AA828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372977Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:28.361{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F3767040FE271738625B1AF51FD42C,SHA256=38B334BBAC0663E71CD7285EB9665D93F93EE7F2BBC606BDF3CF356DF816501F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000325290Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000325289Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000325288Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000325287Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\FlagsDWORD (0x00000002) 13241300x8000000000000000325286Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\TtlDWORD (0x000004b0) 13241300x8000000000000000325285Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\SentPriUpdateToIpBinary Data 13241300x8000000000000000325284Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\SentUpdateToIpBinary Data 13241300x8000000000000000325283Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\DnsServersBinary Data 13241300x8000000000000000325282Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\HostAddrsBinary Data 13241300x8000000000000000325281Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\PrimaryDomainNameattackrange.local 13241300x8000000000000000325280Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\AdapterDomainName(Empty) 13241300x8000000000000000325279Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\Hostnamewin-host-61 13241300x8000000000000000325278Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1B047EC9-12A8-41C1-ABB2-E95677229DFE}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000325277Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000325276Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000325275Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000325274Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\LeaseTerminatesTimeDWORD (0x619f6fd8) 13241300x8000000000000000325273Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\T2DWORD (0x619f6e16) 13241300x8000000000000000325272Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\T1DWORD (0x619f68d0) 13241300x8000000000000000325271Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\LeaseObtainedTimeDWORD (0x619f61c8) 13241300x8000000000000000325270Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\LeaseDWORD (0x00000e10) 13241300x8000000000000000325269Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\DhcpServer10.0.1.1 13241300x8000000000000000325268Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000325267Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\DhcpIPAddress10.0.1.15 13241300x8000000000000000325266Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-SetValue2021-11-25 10:13:28.652{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b047ec9-12a8-41c1-abb2-e95677229dfe}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000325265Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:28.355{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF59CAB039F3B6D8E84E54B8066B2CE,SHA256=A17D8653007C6F537AA5BDA8D5DF6B51CB478A7BFF7F8F964BA71D3390B7DF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372978Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:29.375{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4865BCFF29C7458A8B03AAFB391188BF,SHA256=EC79D741371B73A2B445076601A2DC749A2165FBCC20F22A79A94EF5F1FEB6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325293Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:29.371{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0928486A1C8FF55F1887BD342960860C,SHA256=95CE1F5FF10AB32310FC2EF627952755322ACD7567EA9479C2E1D7618C8842A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325292Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:29.371{99D2EDAA-5AC0-619F-1200-000000001002}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=842F73065518F53D07A391C2CC5D47CA,SHA256=8ADB78250BEF055122B83E664ED8E732D1F144DA9B8AFEF325FDC0738EE48623,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325291Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:27.673{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50099-false10.0.1.12-8000- 23542300x8000000000000000325296Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:30.371{99D2EDAA-5AC1-619F-1C00-000000001002}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325295Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:30.371{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51D0373BDA19CD1870310E260C286EB,SHA256=7C5B19E901406583A39332F25D58A4798C9C6B32031CD6F0CF67D02272DD37A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372982Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:30.379{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD033A5530F54179F9D335BF9A28D076,SHA256=B11888D708CE15FB79B1303A1B77EE9D9319E1E7914BE1F1DFC75280C0CE833C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372981Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:27.739{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.15-55466- 354300x8000000000000000372980Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:27.738{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.15-63379- 354300x8000000000000000372979Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:27.086{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000325294Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:28.282{99D2EDAA-5AC0-619F-1200-000000001002}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-61.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000325299Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:31.418{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB961866ACA3BC60E6266F39886E73D,SHA256=55A2C587D4C3C4613C7FBAD0A04E7C63BD4BA00A0A808052F91F6D08F3881201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000372984Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:31.781{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5AA4-619F-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000372983Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:31.381{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF7093A6E4C5333B814F234027846C6,SHA256=6F37A439EB5EB60CD06AD8C7DE01D4FB293B4302224D2B61CA7B14B47FAEA65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325298Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:28.292{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9820:feca:8cd4:ffff-53263-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000325297Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:28.292{99D2EDAA-5AC0-619F-1500-000000001002}672C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:69d0:1287:d4b7:32cawin-host-61.attackrange.local53263-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000325301Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:32.418{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C59328F083112150472CA0583553B79,SHA256=3D7E7DD1DD1487B11210583C3023ED213D4687B113F57EFD7DD36F854BBEBD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372988Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:32.796{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE59F7168A339802040FE08AAFE60D3C,SHA256=55C863CD4DB4338E9604B728E5DF2BD3BC9B501E72F449EB39755BA5C2A11ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372987Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:32.796{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=282880BF503AE7B68D0E01310DC40AF5,SHA256=3D5D330385C35AEE42E29A2E61E83C5291D94BFEFBD6A4828ACAAAB3060E5715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372986Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:32.396{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA6F6936DC943CB63B37F90B74BAC3B,SHA256=33FD8F0D70DD03EC61E9F1D7C98644046E5E00FED1553776B544242408F93D19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325300Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:29.986{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50100-false10.0.1.12-8089- 354300x8000000000000000372985Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:29.213{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.15-49374- 23542300x8000000000000000325302Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:33.450{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FC8665E1BCA3590FD75BEC077DFE5D,SHA256=2D3ABFBAA4098C1EA3FF64D3BFB760665AA1440C3CD382F684F56D9E0E4BB1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000372991Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:33.411{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE4991A87AA1F03DE803362B02B2988,SHA256=C44C1FB91521F6FAB6EAC06D1050F72B720669364EF9EC0D86C1DDA440A4668E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000372990Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:30.806{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local59042-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000372989Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:30.806{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local59042-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000325304Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:32.799{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50101-false10.0.1.12-8000- 23542300x8000000000000000325303Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:34.481{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A67E86F669BC6BEE6EFA35B23AF293F,SHA256=B89285C80DD14E2426B344A27D46EBCD668FAE0AB8DCFFD9BF917B1E5BCAED9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373007Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:34.495{27B459FE-5AC4-619F-1200-000000000F02}500NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9497B2772DD2750ACAEA4D242819B099,SHA256=3975A9EE195136DD8C4DC0A1C582A6DA9D7AA9974A93B841363D85DE436098AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373006Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:34.433{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC40A99E3301D8C254F5137934EFBCF,SHA256=F7D15F2F13D27F73AFA0B1B4F36D73C67A1F35AB1369B031D4C9E7D8F20F81C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373005Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:34.380{27B459FE-5AC5-619F-1600-000000000F02}12885456C:\Windows\System32\svchost.exe{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373004Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:34.380{27B459FE-5AC5-619F-1600-000000000F02}12885456C:\Windows\System32\svchost.exe{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000373003Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000373002Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000373001Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000373000Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\LeaseTerminatesTimeDWORD (0x619f6fde) 13241300x8000000000000000372999Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\T2DWORD (0x619f6e1c) 13241300x8000000000000000372998Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\T1DWORD (0x619f68d6) 13241300x8000000000000000372997Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\LeaseObtainedTimeDWORD (0x619f61ce) 13241300x8000000000000000372996Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\LeaseDWORD (0x00000e10) 13241300x8000000000000000372995Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\DhcpServer10.0.1.1 13241300x8000000000000000372994Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000372993Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\DhcpIPAddress10.0.1.14 13241300x8000000000000000372992Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:34.264{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{426c1385-4401-499a-95f1-3b920d20578a}\DhcpInterfaceOptionsBinary Data 13241300x8000000000000000373019Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000373018Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001c4127) 13241300x8000000000000000373017Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1dc-0xb9aec7a1) 13241300x8000000000000000373016Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e5-0x1b732fa1) 13241300x8000000000000000373015Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ed-0x7d3797a1) 13241300x8000000000000000373014Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000373013Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001c4127) 13241300x8000000000000000373012Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e1dc-0xb9aec7a1) 13241300x8000000000000000373011Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e1e5-0x1b732fa1) 13241300x8000000000000000373010Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:35.948{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e1ed-0x7d3797a1) 23542300x8000000000000000373009Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.451{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\respondent-20211125094351-028MD5=444217E36DFC8E9793195AA16DFEF3CF,SHA256=A3E563783C781B480B74E9BE21DB5B6813B8114F269761C54D4CAB14EBB063C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373008Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.450{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84245F83C3EEC94ED1540E222021373,SHA256=75F2635CB4804B24FF9BF926BBE6334EF25A6AC2351AE5570D9394A918A5A274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325305Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:35.481{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C297B322BC27098DA4C9F3861A8CBEE,SHA256=8A2B3B8B4679C13A9EAD9A7DA107C6FC7EC32B2B303FF1D6E49FF58140C060FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325306Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:36.481{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6ED0B1BF4E21B3D1CD0314CDB0B2B5D,SHA256=21ECA3FF818D0F29850639B1497858FB436E7BDF4B34713CF065A42CC680940B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373037Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:36.463{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30552D86DB1B1568909876A9C8252F36,SHA256=B7553C812E7F29386EABDBC099E2157100358459C00AA29337D639786AA711E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373036Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:36.450{27B459FE-5AD5-619F-2F00-000000000F02}2348NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-01615e2e6f69d9778\channels\health\surveyor-20211125094349-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000373035Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000373034Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000373033Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000373032Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\FlagsDWORD (0x00000002) 13241300x8000000000000000373031Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\TtlDWORD (0x000004b0) 13241300x8000000000000000373030Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\SentPriUpdateToIpBinary Data 13241300x8000000000000000373029Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\SentUpdateToIpBinary Data 13241300x8000000000000000373028Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\DnsServersBinary Data 13241300x8000000000000000373027Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\HostAddrsBinary Data 13241300x8000000000000000373026Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\PrimaryDomainNameattackrange.local 13241300x8000000000000000373025Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\AdapterDomainName(Empty) 13241300x8000000000000000373024Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.311{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\Hostnamewin-dc-266 10341000x8000000000000000373023Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:36.296{27B459FE-5AC2-619F-0B00-000000000F02}640672C:\Windows\system32\lsass.exe{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000373022Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:13:36.296{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{426C1385-4401-499A-95F1-3B920D20578A}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000373021Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:33.288{27B459FE-5AC4-619F-1200-000000000F02}500C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-266.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x8000000000000000373020Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:33.104{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local59043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000325307Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:37.497{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9EF6210880A105B8B51F6310079EA4,SHA256=63D7EFCDD060FCB4E1BE101164376E8BF1E59A08E11EC266E93286AAED31AB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373039Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:37.479{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C874E98DC7EDAC884D996593785E0914,SHA256=920715A9B12787F306098BAD20779DFD4EE10189116EF18E927724D6F3AD4C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373038Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:37.311{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE59F7168A339802040FE08AAFE60D3C,SHA256=55C863CD4DB4338E9604B728E5DF2BD3BC9B501E72F449EB39755BA5C2A11ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373050Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:38.510{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A6F38F14CAF0F60601DB01226FE05,SHA256=DB21F6C0145A1271AFC10385F5987243CA10B6A1E6427DEB4FEF44BF5337921D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325308Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:38.497{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3196CE5F58CC8775CA730038744BDDFC,SHA256=8FCB18D53F3C63180B9BE4653DDD3C1D99AC44C2413871AAC5C1FBFFAEC01B00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373049Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.339{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.14win-dc-266.attackrange.local62118- 354300x8000000000000000373048Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.339{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56533- 354300x8000000000000000373047Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.337{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local61451- 354300x8000000000000000373046Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.329{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local62664-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000373045Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.329{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local62664-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000373044Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.326{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-266.attackrange.local62663-false10.0.1.14win-dc-266.attackrange.local53domain 354300x8000000000000000373043Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.326{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-266.attackrange.local62663-false10.0.1.14win-dc-266.attackrange.local53domain 354300x8000000000000000373042Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.324{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.14win-dc-266.attackrange.local53687- 354300x8000000000000000373041Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.324{27B459FE-5AC5-619F-1400-000000000F02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-266.attackrange.local53687-false10.0.1.14win-dc-266.attackrange.local53domain 354300x8000000000000000373040Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.135{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local56928- 23542300x8000000000000000373052Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:39.510{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21B7EFDB237D79584BB2A58AAE955F4,SHA256=B8DF6A56E94EEE8A9ED42C7C09B0CB20C5468AD864848BED0EE1234EA006C0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325309Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:39.513{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357166F0F5019FE6FC507B1A9B5A381F,SHA256=8C0AF67D8AA9BAA56EFBAD93F6498CCC879A82B5432D9CD45B5832F496FF115F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373051Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:35.341{27B459FE-5AD5-619F-2D00-000000000F02}2296C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-266.attackrange.local53domainfalse10.0.1.14win-dc-266.attackrange.local55726- 23542300x8000000000000000373054Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:40.529{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEB510B81938282ABB3AA236EA4A5F5,SHA256=8AB9EC4F764A8B39702937C1BC2F4FFCD354A87BF15767DE5DE8D1553F3B4AE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325311Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:38.831{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50102-false10.0.1.12-8000- 23542300x8000000000000000325310Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:40.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E0099F16BBF04EF0FA53D69904E02,SHA256=6C2CDDC54367436AF65B9961098C26EB4D8D01F58E35CCA420C94F17957690BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373053Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:40.110{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373056Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:41.547{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5481BD4F2DCFB77566CA89C89F85DAF8,SHA256=DE09882DEE677C7300051FA4F2205A7616B2D3B30A8B1AAE4DC1D7E4D9C6667B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325312Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:41.564{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71FCB6C4EBA46F28331B8B27E81826F,SHA256=C1D2DEEFA012F3E918195886DAEEA1B0280996CBDDE7ADFA75F7DDCAA1B0A329,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373055Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:38.250{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62665-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000325313Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:42.658{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62113299BD244565D9CA42CBC27A7ACB,SHA256=051EA3AA7B9DEA202BAEB819795D26CF339F429523D3C8552F555FB7313A5AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373057Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:42.562{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60461C68A56C2DA396342109C29A70F,SHA256=D38ADC90A0CC23C6368F1F6A58304363F589F61BE17523BDFA07C079B82DC977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373060Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:43.577{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DA29E9EC9B8236C1563D8C733BFE20,SHA256=B25377283CB8B40FFB74C16485FD7205FC185691B6D742F34F2A1DCCB59BD4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325327Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.658{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55B5E084261ABAAEE02CE5CE25AD536,SHA256=6DFD42EDDAD92625ED38A126BE2A65517A62547B4D58D32419DE154D293B4FC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325326Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61D7-619F-6701-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325325Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325324Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325323Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325322Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325321Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325320Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325319Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325318Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325317Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325316Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-61D7-619F-6701-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325315Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61D7-619F-6701-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325314Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:43.486{99D2EDAA-61D7-619F-6701-000000001002}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373059Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:43.561{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBB1774C92D45B13DF16034B9CB4A0CE,SHA256=0194660263A1B88E9FA91188DE36DEE89BFD313703D69FBBCA5E2BCF21BF57B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373058Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:43.561{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7C4E40F443169E960234F7D9EAAD6E,SHA256=76B6060D63926640A4E381B8D425D91E6A643356B36812C94378B9FB4513BDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373061Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:44.592{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BB60A50A630F9DB606E2956E81D154,SHA256=D84FF2A4281C196ECBDD2B3723549BB6F70CF1AF6F8AAA72E2BB9F985CE96231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325344Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.673{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71725C4FFE1B74022AC225793A5AF7A2,SHA256=CFF406D31A8A61E2BC20C63B5F64388125CF318985F2C0380DE4122E326FC9A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325343Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.626{99D2EDAA-61D8-619F-6801-000000001002}2712784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000325342Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F26B39B22C304B3D7FD041F3BC50892,SHA256=9843EC6E6D68D0A329321CF748FBE1CABC8DAFFC7D1C775CB78B78D7A5C434B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325341Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.517{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B33DEB47366251700DF9B919B9597132,SHA256=C856A1174B00231C5F3D83231825D086B089F4B98FB110C39A38EC19BF8FDDD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325340Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61D8-619F-6801-000000001002}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325339Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325338Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325337Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325336Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325335Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325334Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325333Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325332Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325331Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325330Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-61D8-619F-6801-000000001002}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325329Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61D8-619F-6801-000000001002}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325328Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.486{99D2EDAA-61D8-619F-6801-000000001002}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000325358Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61D9-619F-6901-000000001002}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325357Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325356Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325355Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325354Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325353Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325352Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325351Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325350Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325349Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325348Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-61D9-619F-6901-000000001002}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325347Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61D9-619F-6901-000000001002}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325346Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.736{99D2EDAA-61D9-619F-6901-000000001002}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325345Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:45.673{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E224D157EABED8AB079DB2C8C90748EC,SHA256=C4B26596EDF2937BAAE6E8BC20AF24F02A46439C68BB842AA32E021B0A67C025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373062Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:45.607{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C4306DA548220CFC7C37C60313FF13,SHA256=0E4A2654B141238C533050B156864983572E2729DE82A6B055EACE95A2CB8DA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325373Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61DA-619F-6A01-000000001002}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325372Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325371Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325370Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325369Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325368Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325367Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325366Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325365Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325364Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325363Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5ABF-619F-0500-000000001002}404936C:\Windows\system32\csrss.exe{99D2EDAA-61DA-619F-6A01-000000001002}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325362Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.986{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61DA-619F-6A01-000000001002}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325361Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.987{99D2EDAA-61DA-619F-6A01-000000001002}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325360Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.736{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F26B39B22C304B3D7FD041F3BC50892,SHA256=9843EC6E6D68D0A329321CF748FBE1CABC8DAFFC7D1C775CB78B78D7A5C434B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325359Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:46.673{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F67E233614C7FCA4D97399BC9A04329,SHA256=88691B3726836D39AAD15659532A9FB1D4348A18BAD942C37BFF5701EBA3EA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373064Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:46.624{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B9A0C8751224EBE3241954EAEE85CD,SHA256=480869537EA0E56B7D4A6BF3FA454EDDFEF2EE27D9D215B962AA7AAC9FB0A986,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373063Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:44.215{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62666-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000325377Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:47.986{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE9ED8B48D0BC526D2DF5A49B6469DB4,SHA256=BD49641393516AD99E224BF0C348C62553230CD63834178C908D93CF78DF4968,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325376Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:44.835{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50103-false10.0.1.12-8000- 23542300x8000000000000000325375Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:47.673{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B674E6B9BC0C1E137EA1A93AAE1461E2,SHA256=1AC37C1567B5D89A70B2CFBFB4C3F4B5A769F27BBB3FE626B6C7EAE99D5B858B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373065Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:47.644{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD95AA5A7072D4FA9E019ADBDD78CF0,SHA256=CAA2C508D8B451234D5E58F08D68838582F93B993E26E2F3816205AA6DB47304,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325374Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:47.191{99D2EDAA-61DA-619F-6A01-000000001002}10122880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325392Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.720{99D2EDAA-61DC-619F-6B01-000000001002}34843296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000325391Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.689{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291B0C6A17D6E958BF53E119DFC30F24,SHA256=9F2847545737068A1D06399B294B8AF2BA379F8379CCED8F99ABCB1AD5B86E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373066Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:48.674{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6D2FB8214E848929FC97143E279119,SHA256=BB17578D41BE1C842A1739DE500C74B9A335640C468F68222CF950BB117B553D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325390Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61DC-619F-6B01-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325389Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325388Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325387Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325386Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325385Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325384Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325383Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325382Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325381Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325380Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-61DC-619F-6B01-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325379Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61DC-619F-6B01-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325378Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:48.564{99D2EDAA-61DC-619F-6B01-000000001002}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000325408Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.736{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81176B7621FC6F2EEE48FA7748FDE2E7,SHA256=542F0691B583E56BC8D31DC539537327B544D7ECC381F4FAC2FB3A28E2258482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373068Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:49.704{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BF77F4941E1383CCD0F1B37C327F00,SHA256=9C76C4EC50A5D2C205C007C2BAAD4D79A3C827ADD78D02CB7A37E676EF3FF10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325407Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.564{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF736CEF558E22891D5837990034173F,SHA256=DF1328011CC8F3497BC139CE9F85F0F32EDFBB6FC645C0EACF7BC1FDA9DDD289,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325406Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.486{99D2EDAA-61DD-619F-6C01-000000001002}14043308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325405Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61DD-619F-6C01-000000001002}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325404Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325403Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325402Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325401Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325400Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325399Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325398Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325397Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325396Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325395Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5ABF-619F-0500-000000001002}404420C:\Windows\system32\csrss.exe{99D2EDAA-61DD-619F-6C01-000000001002}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325394Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.314{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61DD-619F-6C01-000000001002}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325393Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.315{99D2EDAA-61DD-619F-6C01-000000001002}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373067Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:49.122{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=D1D129A2A36B0AE394F080E0C0856C23,SHA256=DB200B185845EEB829B4F33ACCBD2BEEFA3F8508881C2824663F8709ECE30192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325422Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.751{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5F1347C2A5F787A17F90D9B6099BFB,SHA256=C580F193C4DAA692CC0057B39F158CBF4F5233D1FD1E4C2113EC440BF0C7DC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373069Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:50.722{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5102453A937158F882C1CCC888008FFD,SHA256=8430C330F8A8501DDCE67F4D1CCA16BEA9B1CC91B35851C95E03C8211054095C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000325421Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC2-619F-2A00-000000001002}27242744C:\Windows\system32\conhost.exe{99D2EDAA-61DE-619F-6D01-000000001002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325420Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325419Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325418Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325417Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325416Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325415Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325414Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325413Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325412Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC0-619F-0C00-000000001002}716892C:\Windows\system32\svchost.exe{99D2EDAA-5AC1-619F-1F00-000000001002}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325411Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5ABF-619F-0500-000000001002}404516C:\Windows\system32\csrss.exe{99D2EDAA-61DE-619F-6D01-000000001002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000325410Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-5AC1-619F-1C00-000000001002}19803144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{99D2EDAA-61DE-619F-6D01-000000001002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000325409Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:50.533{99D2EDAA-61DE-619F-6D01-000000001002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{99D2EDAA-5ABF-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{99D2EDAA-5AC1-619F-1C00-000000001002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373070Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:51.740{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F7A67B3CE7295A621E39F71342E7C1,SHA256=5CF94E2287410394FF9AFA05A61BDFD32E050057926E64261FF5377D60E5BAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325424Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:51.767{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AEE80524822DBA0B0FE0DCE3EBDBED4,SHA256=074A45207631E15C831D8620359A2A6C0BEB88F5547313ED60B9F8BB5BE5943C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325423Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:51.751{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFEDAAF7BF35575AC9042439761288F,SHA256=74415211EFDBD8D2ED788ED9E3251BD6E1BECA7EFA5DF2E9AF2A3AC546E2215D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325426Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:49.867{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50104-false10.0.1.12-8000- 23542300x8000000000000000325425Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:52.782{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A3B5E1ADA47F19220215487127A2A4,SHA256=62668868C5392CDDDE01F8B11759483054C99639D6F4BBC14B6E50B8BCDE7042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373072Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:52.771{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81661569A2678974EA84841D4AAE583E,SHA256=3F335835BE00822DD08FE5EF9405FEAED1205B19C96EE95D56543BB0A03C7F76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373071Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:50.242{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000325427Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:53.861{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD92FCB5F72F551A6039BDD594C1A37E,SHA256=7C61AE23AFE84B01B044FB01C0878E16EE21C36CEB4A3E8AC3F2D6DC952749C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373073Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:53.801{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208798B1151C61703DA9D831C39BE87B,SHA256=F78B3FE0E2E0D4BCCF21E3CBB58F81675DF74BD982ECB444D9D6107D009D285E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325428Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:54.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDEBD012294D3BDF20EE0AA9C0F4186,SHA256=232FE547E6A891195EEA754B2A9B5EACDC868B3E6184983DBC25A64D32FE9E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373074Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:54.870{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E6938F4B11E1E4647CED562CD4C9EC,SHA256=F56E69D8FEF034D2F855E847D759FA25C88128864745A2252A0916CEFC56D00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325429Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:55.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615CA58EEEAFBD3566F31331932753FD,SHA256=B80F9B760EEFDFC979C009967F8F3847764C8AF9FE35B71F958EEED5E1A9FB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373076Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:55.879{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF4B115A3D40ABEA0894D5CDFC8C295,SHA256=C1CFDAA718BFF75B5DC832882011033CE480B90C4D1C112DED23B155BB798A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373075Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:55.500{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\saknttb2.default-release\startupCache\startupCache.8.littleMD5=D19CFA70D277589A0D148DD1F995193B,SHA256=28DEE99B5E73C746EFFBFE668B38D0982037E673FA0C06E3D33AF30571DE7B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373078Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:56.879{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BF8FC58D3756953FD519F60175294A,SHA256=A4D4115FCF2D5B22EE323893F3AC8B997AFE775E19C82FA97F3324F007E2856D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325430Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:56.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F8B4810DFAF5E358FECEFB943ADC0E,SHA256=6F261A8B3E6F5ECE5FC2E18DD4D9F2B14AC454F0172907FF12A4D0B292AEE61A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373077Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:56.832{27B459FE-5AC4-619F-0D00-000000000F02}8965976C:\Windows\system32\svchost.exe{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000373080Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:57.894{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D6D7E98D36B0B89CA02E87B224B084,SHA256=1062DBE3F9B092AA272198143346480680FC4479588FC82503F10132EB06F926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325431Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:57.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D79F0C4CE26F2D0B8F605EF36669578,SHA256=961F86BAA0B465CC7484E3275625294C57B725A3EA0E0C2DB2AE6CAC19A3307A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373079Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:55.255{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62668-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000325433Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:58.892{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62362A6B9B8FDAC8818169016F945DEA,SHA256=7A812B968A150E29D492ACBED982FE4FDB8B416F85D2B020AA64C6D4C1EB4690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373088Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.932{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F5C5769D550B3E43BA1CB2907967C5,SHA256=55449F4D5371EF590E0018B6FA61FFA5F4E277A70AC7D9DC46BC01F502ACC464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373087Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.594{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\permissions.sqlite-journalMD5=8219A2E42DB5D0F9C8D60613ADC704F9,SHA256=DA482724294B220C4BA53D848C8BC54CD4A7C0721F4B5989610150DFE894CA73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373086Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.532{27B459FE-613B-619F-9B01-000000000F02}45563836C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b1b61|C:\Program Files\Mozilla Firefox\xul.dll+92d524|C:\Program Files\Mozilla Firefox\xul.dll+9523a9|C:\Program Files\Mozilla Firefox\xul.dll+9522ca|C:\Program Files\Mozilla Firefox\xul.dll+951ed9|C:\Program Files\Mozilla Firefox\xul.dll+94dc7f|C:\Program Files\Mozilla Firefox\xul.dll+94df8c|C:\Program Files\Mozilla Firefox\xul.dll+aa87ba|C:\Program Files\Mozilla Firefox\xul.dll+2d2329|C:\Program Files\Mozilla Firefox\xul.dll+2d2234|C:\Program Files\Mozilla Firefox\xul.dll+2d2035|C:\Program Files\Mozilla Firefox\xul.dll+2d1ee4|C:\Program Files\Mozilla Firefox\xul.dll+acfe73|C:\Program Files\Mozilla Firefox\xul.dll+ad0ff1|C:\Program Files\Mozilla Firefox\xul.dll+acfb6d|C:\Program Files\Mozilla Firefox\xul.dll+acee12|C:\Program Files\Mozilla Firefox\xul.dll+af7035|C:\Program Files\Mozilla Firefox\xul.dll+19a869d|C:\Program Files\Mozilla Firefox\xul.dll+afd568|C:\Program Files\Mozilla Firefox\xul.dll+f4a91d|C:\Program Files\Mozilla Firefox\xul.dll+eb5ad6|C:\Program Files\Mozilla Firefox\xul.dll+e95ae0 10341000x8000000000000000373085Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.494{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373084Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.494{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373083Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.494{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373082Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.478{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373081Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:58.478{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-613B-619F-9B01-000000000F02}4556C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000325432Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:55.695{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50105-false10.0.1.12-8000- 23542300x8000000000000000325434Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:13:59.897{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC85685806F5ACD32F179E4640CD883F,SHA256=F12E06328B6D161CDBC03977851B92BF7D10D68AEAB373DF51B18194307EB1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373098Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.967{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F03FFB9A368FCFD78C249B9C3382EE,SHA256=B60473FDBAC7778283919B8F5E1D590C6AE66960162657C705697CE1E4B48709,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373097Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373096Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373095Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-5C05-619F-B200-000000000F02}47484212C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373094Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373093Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-613B-619F-9B01-000000000F02}45564232C:\Program Files\Mozilla Firefox\firefox.exe{27B459FE-613D-619F-9E01-000000000F02}136C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38200|C:\Program Files\Mozilla Firefox\firefox.exe+380f6|C:\Program Files\Mozilla Firefox\firefox.exe+496d0|C:\Program Files\Mozilla Firefox\firefox.exe+493cc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373092Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373091Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373090Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373089Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:13:59.532{27B459FE-5C05-619F-B200-000000000F02}47484904C:\Windows\Explorer.EXE{27B459FE-5CDA-619F-E300-000000000F02}2260C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000373099Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:00.979{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B70101FE471F3E575608C01AFED4A7,SHA256=B77BDCB69C5056FAC165B851CBF6461C0309C7987FF3FFBA7602D6810EBE47B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325435Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:00.897{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EF943EABF3BC192FD9B9114041D277,SHA256=859F6B6D00BB0FF3FFC2725BD9BA8C291337661B0DE18A155981D4DD198709E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325436Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:01.912{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B981611229B212B98F843A76CA619C9,SHA256=185CABD2006D599F0AEB99AEEE62A1CE01CCAC26B87992978124BDBFCC0C0A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325437Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:02.928{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9629753F1D85C3CBA85849D6C95F8E7,SHA256=44960590643A603D417A74DA1525B8D0C2727F89B45DE720FF03B55CB0C218D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373100Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:02.016{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7E5F6FEDB88DC3CD23CB34384199BF,SHA256=FA1BE3F3798C5DC47CD604445892DFD505472D14C46EDDBE9B470E13722C1005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325439Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:03.975{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AFFD7C5120C877FF8D008287CBDAF2,SHA256=96728190BE3750967EEF987940CFA64CE0BC2FBC68CE4C993623AC6BA6FD7A9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373102Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:01.137{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62669-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000373101Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:03.031{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3534D3D2347AB3A1289795D2AF5A88E5,SHA256=F076497303AFDB2367B0840AD5C254DC7855266B441E4198A005AA4F2E43261D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325438Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:01.715{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50106-false10.0.1.12-8000- 23542300x8000000000000000325440Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:04.975{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECF527D60772A8342C81927B1E007E4,SHA256=80AA6BA995E7AA9E1A4F4223421C806866516D2B8AE6C3806A38EA5ACA30B539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373113Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.693{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36CF9640EF6F2343942EC3858230F51A,SHA256=0CB3A53C28BF28B728160A71BA5E3C881EC83B144C6C89CB0A039C26A51B442D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373112Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.693{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBB1774C92D45B13DF16034B9CB4A0CE,SHA256=0194660263A1B88E9FA91188DE36DEE89BFD313703D69FBBCA5E2BCF21BF57B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373111Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.477{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61EC-619F-B901-000000000F02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373110Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.477{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373109Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.477{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373108Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.477{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373107Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.477{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373106Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.477{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-61EC-619F-B901-000000000F02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000373105Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.477{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61EC-619F-B901-000000000F02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000373104Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.478{27B459FE-61EC-619F-B901-000000000F02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373103Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:04.062{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B5364FD013D5E4921BE3B8146DEF59,SHA256=8D8D4089FC554B7FFE45E45F7FF3A1DA6B580FF73C4906F486E577F0A29F9935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325441Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:05.975{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8A9E440F0E47D1EB3955BD6EA2C875,SHA256=B5C3C3754C250FE9DEA30DDF2BB16DD14A8D40BCD36780F8AEAA0CCE041C3746,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373125Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:02.717{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local62670-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 354300x8000000000000000373124Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:02.717{27B459FE-5AD5-619F-2700-000000000F02}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-266.attackrange.local62670-true0:0:0:0:0:0:0:1win-dc-266.attackrange.local389ldap 10341000x8000000000000000373123Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.577{27B459FE-61ED-619F-BA01-000000000F02}65566560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373122Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.346{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61ED-619F-BA01-000000000F02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373121Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.346{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373120Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.346{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373119Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.346{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373118Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.346{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373117Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.346{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-61ED-619F-BA01-000000000F02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000373116Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.346{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61ED-619F-BA01-000000000F02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000373115Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.347{27B459FE-61ED-619F-BA01-000000000F02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373114Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:05.093{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF04B8A99198D1E36B610A94E308C6D,SHA256=37C7EFC52B8BC6613C47358CC93A64D3700BCFC2BF64571B706095CC731949B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373170Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373169Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373168Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B400-000000000F02}5088C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373167Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373166Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2B00-000000000F02}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373165Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373164Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373163Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373162Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373161Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373160Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373159Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373158Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C07-619F-B300-000000000F02}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373157Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373156Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373155Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373154Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373153Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373152Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373151Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373150Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373149Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373148Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373147Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373146Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373145Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373144Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373143Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373142Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373141Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373140Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373139Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373138Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373137Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373136Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.829{27B459FE-5AC4-619F-0D00-000000000F02}896916C:\Windows\system32\svchost.exe{27B459FE-5C05-619F-B200-000000000F02}4748C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373135Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.411{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61EE-619F-BB01-000000000F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373134Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.409{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373133Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.409{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373132Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.409{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373131Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.409{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373130Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.409{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-61EE-619F-BB01-000000000F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000373129Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.408{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61EE-619F-BB01-000000000F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000373128Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.408{27B459FE-61EE-619F-BB01-000000000F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373127Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.360{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36CF9640EF6F2343942EC3858230F51A,SHA256=0CB3A53C28BF28B728160A71BA5E3C881EC83B144C6C89CB0A039C26A51B442D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373126Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:06.114{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54858A5B3B4FB9F1C4D000620156039,SHA256=A1C9ED881AA8998AA091EB0C8A010A5E6D1EAFD2A1E46FE2E53D702F500C1200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373172Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.629{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3041D97E1D4118F00664AD0D3A5DB2,SHA256=0F5089AA089B73BD185B1E557575B6EA2FCE6579BF09A7AD157718C167F3ACD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373171Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.629{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F99C83D2BBE3AE8FF5AD0FCADA460DC,SHA256=D923C8338E6D2A81C463F9055D906A2D4CBF56C12FDFE03040C7762FFFFBFA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325442Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:07.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2464008F96D1E8AACECA545EDFF93CF6,SHA256=9C58F49781449C8FCB75EE6E800CAA9A002D9324387112724A5E132A5A0205B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373185Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.835{27B459FE-61F0-619F-BC01-000000000F02}66326428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000373184Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.632{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB570E92762FFDC4A89B28E4F0D2937,SHA256=10214E51AD0B2728054620F1ABB944A302A25B6CFE2EA37A68D2F69A0093EFA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325443Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:08.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD854354C8DA7FDAB1E8105037EC7196,SHA256=2A08B4CBB365299DAF737DE955FDC5076DD02F490560124D419053338C85C2D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373183Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.563{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61F0-619F-BC01-000000000F02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373182Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.563{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373181Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.563{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373180Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.563{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373179Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.563{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373178Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.563{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-61F0-619F-BC01-000000000F02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000373177Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.563{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61F0-619F-BC01-000000000F02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000373176Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:08.564{27B459FE-61F0-619F-BC01-000000000F02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000373175Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:14:08.494{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\583610C9-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_583610C9-0000-0000-0000-100000000000.XML 13241300x8000000000000000373174Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:14:08.463{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Config SourceDWORD (0x00000001) 13241300x8000000000000000373173Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:14:08.463{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6F3BE35-2816-4299-8BAC-44B9E4617F8F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A6F3BE35-2816-4299-8BAC-44B9E4617F8F.XML 354300x8000000000000000373212Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.531{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62674-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000373211Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.531{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62674-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000373210Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.520{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62673-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000373209Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.520{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62673-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000373208Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.476{27B459FE-5AC4-619F-0D00-000000000F02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62672-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 354300x8000000000000000373207Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.476{27B459FE-5AD5-619F-2900-000000000F02}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62672-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 354300x8000000000000000373206Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:07.168{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62671-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000373205Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61F1-619F-BE01-000000000F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373204Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373203Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373202Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373201Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373200Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-5AC1-619F-0500-000000000F02}416432C:\Windows\system32\csrss.exe{27B459FE-61F1-619F-BE01-000000000F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000373199Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61F1-619F-BE01-000000000F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000373198Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.729{27B459FE-61F1-619F-BE01-000000000F02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373197Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.644{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F69AD9A836B4D7A352EAEB11B019E4E,SHA256=AA4D3385C1FBF98AA55714506FF7B770214141C8170332BAA3C6EFBF6C4501F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325445Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:06.872{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50107-false10.0.1.12-8000- 23542300x8000000000000000325444Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:09.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D3596F0C66C2C7075040D30F457F6D,SHA256=50C52E776E0A53D343D9AAF4B81ACB5D663D541EF02B4174744CFE094DFA7D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373196Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.498{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5544FF14D217AF628A5D34E78868469F,SHA256=95C31C8EE1B005A40D67590C7BFF508AF86ABD1D7FB1FC48CC3532ED5E6E51A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373195Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.356{27B459FE-61F1-619F-BD01-000000000F02}65966612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000373194Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-SetValue2021-11-25 10:14:09.310{27B459FE-5AC4-619F-1100-000000000F02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7e1e5-0x2f9a098e) 10341000x8000000000000000373193Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.066{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61F1-619F-BD01-000000000F02}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373192Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.066{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373191Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.066{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373190Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.066{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373189Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.066{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373188Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.066{27B459FE-5AC1-619F-0500-000000000F02}4163008C:\Windows\system32\csrss.exe{27B459FE-61F1-619F-BD01-000000000F02}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000373187Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.066{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61F1-619F-BD01-000000000F02}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000373186Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:09.067{27B459FE-61F1-619F-BD01-000000000F02}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373215Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:10.740{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3DAFE1E2FBEB7D0127794333B94AFD4,SHA256=02D1D90210E89293F88B2093D82E7A27C36DD729C13C5DB389C18D2214000F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373214Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:10.662{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77616692368F6DA85A13D77BEFF4CEE9,SHA256=7BEA5800114BCE1702D002D3AE8F5AE6C366EB848F084A9CC17554C45E81CD79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325446Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:10.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B876C4E369B879B4E68E7FC032F8C51,SHA256=57A650E684B6C3965E0D98CB547403656D218751F3BA8EA3DAD52DA846E2AB74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373213Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:10.054{27B459FE-61F1-619F-BE01-000000000F02}66806636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373224Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-5AD6-619F-3500-000000000F02}32803300C:\Windows\system32\conhost.exe{27B459FE-61F3-619F-BF01-000000000F02}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373223Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373222Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373221Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373220Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-5AC4-619F-0C00-000000000F02}836944C:\Windows\system32\svchost.exe{27B459FE-5AD5-619F-2A00-000000000F02}2924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373219Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-5AC1-619F-0500-000000000F02}416356C:\Windows\system32\csrss.exe{27B459FE-61F3-619F-BF01-000000000F02}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000373218Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-5AD5-619F-3000-000000000F02}24363600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{27B459FE-61F3-619F-BF01-000000000F02}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000373217Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.825{27B459FE-61F3-619F-BF01-000000000F02}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{27B459FE-5AC2-619F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000373216Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:11.677{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF01988178854F8CA3F0708542049C2,SHA256=E28CD015A4E8E2621F6B1701B848A8CCE571BD1452FAA15AC8F7C82BC7F9B3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325447Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:11.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D13C04A026CD9B64424CF2013D39693,SHA256=7A568F0941A83FE0DC0DB92526B299162F0B637A39295CF08BAE7AE3670C198C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373227Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:12.839{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=072703DE85B325461CCC134C65DAAD11,SHA256=631BBEEEC2E8C5F9303956B7A32D63DF0CF06FB7D90F67D68D905FC529D6393F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373226Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:12.708{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE92A5899A3D452C6A363893C208EFCE,SHA256=82C5F039D1C0C26046659421A7937A81A69DAD152BDC8E23E75FA22D8207316B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325448Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:12.037{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6507B0C5288B46FE7608F8E4D25D477,SHA256=E2E4D0B846DC3D94060B3125AA3D98F6FC9D0FF50E68E12DCA29E3171E8C52E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373225Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:12.124{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=4698FF7CFEF9064AFD7FE88D67919E22,SHA256=0531BBE28F6CEC6F05E6BE7970054F78CB0726691526CF7491689C3D1E1140F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373228Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:13.712{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DC656E30E70C0947DF92B905CB5366,SHA256=979B68D7A0529BA934F7223159654329B534276AC317586F2C5CC822813B5784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325449Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:13.053{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063C7575696D43F6982EE7964DF19734,SHA256=BD383D4968D5BE9D8EBE62EDB505A89A87FC5C468AC51730B4A12F9539ED6499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373230Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.897{27B459FE-5AD5-619F-3000-000000000F02}2436NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=62C7AAB9D2B1F9C65B3A084D621889FB,SHA256=060333D265AB0CD6FD07FD805D7FA39CE25A103D1816164816A633065F6E9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373229Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.712{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50368B150804143AA0C94D9EEF04EBC0,SHA256=D4C99E0A184EB326FCF69171C27A7E7704A25E54EC63AABA9353FDF9CB8E5F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325450Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:14.053{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78587D1731E6F401C4F1BF1CF03010F3,SHA256=923EB1785321C833B1EB294A8F7E5F3CA369FD4688DA809D8B11AC0C5924FA7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373232Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:15.712{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0ED3E01652BEA654B00F5B267B4618,SHA256=F5A00B0F1FDEA3B1AADB055B1A12D9DC367CB1A8BD95A879B3EBB86ED4B1DC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325452Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:12.684{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50108-false10.0.1.12-8000- 23542300x8000000000000000325451Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:15.053{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285422F81D561DD13CD879D70B91D929,SHA256=A487552AE54162E0F9A8FE0E55E9F5E05C3FFFE054C79F7A9372273647ABAE7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000373231Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:15.581{27B459FE-5AC2-619F-0B00-000000000F02}640680C:\Windows\system32\lsass.exe{27B459FE-5AA4-619F-0100-000000000F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000373236Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:16.743{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1AB1E6B5B4DD388046DE65B23E7F62,SHA256=84187395D703D10A3E4A6CBD12F922A636A87BD8684FEDE9EDD582F518925901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325454Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:16.852{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\respondent-20211125094332-029MD5=02E4D21047792633143BB4183E4CDE5B,SHA256=E094046A350299AD43EA9BB5FBB64AC2F873042C7560BEB5B2E783BAA598DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325453Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:16.084{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E289F95FD6A8375DADD8094BA03949F6,SHA256=536A70D99452494BD16D5FDE99DA16A5DC10993B18FB5385A686BEF12AD4C332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373235Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:16.497{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C0C4CC3A05347F4475DBEF340A80A55,SHA256=6B38F0D96A54A2EEED5A8D1382280C5BB480C14789BCC3049ECB3064E2495F88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373234Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:12.985{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62675-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 354300x8000000000000000373233Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:12.985{27B459FE-5AA4-619F-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62675-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local445microsoft-ds 23542300x8000000000000000373248Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:17.743{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF333054CB70598AF285F8A12D26E413,SHA256=816EEA49A816773CACD59D81F25E76F8E5B2472381EDFE631B710FE9006CB7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325456Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:17.854{99D2EDAA-5AC1-619F-1B00-000000001002}1864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-058859959b083eebd\channels\health\surveyor-20211125094329-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325455Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:17.086{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E114FD782CBB3E95962592EB37CAF8,SHA256=9DF724766532FE55A045A946576853D757407D10BD19FC289D2E28BDFB752BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373247Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:17.612{27B459FE-613B-619F-9B01-000000000F02}4556ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\saknttb2.default-release\datareporting\glean\db\data.safe.binMD5=47FF9F812C326D34A8A0CB72B25439DB,SHA256=C68791EEC872A0AE99C401061DBB08CC3D51C5F8D70EF64A166E6387DE7D73B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373246Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.524{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-266.attackrange.local62681-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000373245Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.524{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62681-false10.0.1.14win-dc-266.attackrange.local389ldap 354300x8000000000000000373244Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.512{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62680-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000373243Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.512{27B459FE-5AC5-619F-1600-000000000F02}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62680-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local389ldap 354300x8000000000000000373242Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.508{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62679-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local49666- 354300x8000000000000000373241Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.508{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62679-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local49666- 354300x8000000000000000373240Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.507{27B459FE-5AC4-619F-0D00-000000000F02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62678-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 354300x8000000000000000373239Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:14.507{27B459FE-5AC2-619F-0B00-000000000F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local62678-truefe80:0:0:0:e1d0:7c7e:1373:1fbdwin-dc-266.attackrange.local135epmap 354300x8000000000000000373238Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:13.905{27B459FE-5AD5-619F-3000-000000000F02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000373237Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:13.135{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000373249Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:18.780{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDEE7DF173A91E8FDD39B8F067E4BA9,SHA256=DC22AD559564535C2645FBEB3166D855B05D2A3EEA744831D6E019EC61C6BDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325457Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:18.101{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FC346F41777E47597291E290F20801,SHA256=2E84E778FC5ECCD038DF6828545EEC4D1364BCD5A1613526F255A4874734EE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373250Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:19.795{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FEB67AD703CAFD3A7BA844170EC7D8,SHA256=633DA2F15F238EF7F3C2043EA20A7EEFB65DCF956D2FD47C169CB94ECEEB20F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325459Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:17.705{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50109-false10.0.1.12-8000- 23542300x8000000000000000325458Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:19.119{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70F90A0660022B8B88FD5B803A1FE94,SHA256=AF47F7D3983DFBDD2FE7FAF1B836BA3A2F0A7AD6B4EC97593178094CB412FB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373251Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:20.810{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9875EEE313814C8ABEBA699E7B592FA9,SHA256=87F6443E5648A0F3F9439A3D0EDC14A3BF075EBEA7AC30EDCCE18E40E504403E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325460Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:20.177{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F32E8F5D3C4100D47353566E24732EB,SHA256=821075AD69FCB7B79CF23DE7FFB034AF7451DDC7F9057EFA50415A1480842B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373252Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:21.825{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3369E01485661541A674A4EA2CBAD5E4,SHA256=DF758F927CC6508A4EC28F22E60A44187DBA3DC75C90B648BA42B918D45E472D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325461Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:21.208{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A494148385F745CFEEF05D3FA33504B,SHA256=D045068C5A140D957B6FC6BC59E637765D0D8CA941EA0E876127030CC0EF44A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373254Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:22.841{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B5875F6E8B007EEA8818F6E92988DA,SHA256=60D583DD39048ACDD577C5CC651753E50A8F1A8A5602EF845CD0D97F3247FF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325462Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:22.208{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FFC034FB871F9AA96A0B3640E99F60,SHA256=6F117FFA34ABDDC3E38A309DD9E14723EBB4D9B3B99E00D50E4D120CA24BB707,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373253Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:19.165{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000373255Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:23.858{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F4AD268C5F6BD5CC5B1260122BD4F0,SHA256=1B118245332D573974EA51A348443A802BCEF5388044ECC2A652B94F7D8736B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325463Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:23.255{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C47F8D2952E591D26C7745AE31C473,SHA256=E440D118745BF3CD196FEFD2D8F11C35AF98A1CE0040985439F863BFC32E653C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373256Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:24.892{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4719B899908046F53C5F68FAAF27F84,SHA256=D64017461E59CE82AC23F430BB16D7A4ABE63E16AEFDF68EB321A64FBF544A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325464Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:24.286{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A0A26FC1FCFC98D7B677F0103851FE,SHA256=9886E1A1DAD8213C2711C3312AC7C4156DB0649B36C98113F40908DF3B7CFF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373257Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:25.907{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ACA4A84A15C62E77D38AD93CBE4882,SHA256=443687328FEA2CAC4B9DEFBCC1F25809FC12D49CD65A3BCAF7BE1D531FA1C11C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000325466Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:23.715{99D2EDAA-5ACE-619F-6700-000000001002}3908C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-61.attackrange.local50110-false10.0.1.12-8000- 23542300x8000000000000000325465Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:25.302{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE9502ABE20E0CEEFF62A24B3631D0A,SHA256=0F26C1B3C281969BC70D6A909CA2E46ADD8BCC64290E47E684489624A0333308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373258Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:26.922{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CC310388BD0FF12EBFFFCF74AAE67F,SHA256=7923CDAC45A767F51E019083A61E4598DA06B84B5C38BECD0B618E4BBA2536BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325467Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:26.302{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69DF5B4109AB0E1F437F6BA64134028,SHA256=4441B47E3200E19ABBE8A15B41E01D4BBC8B04F537F6AECCC74BEDBA9C559228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000373260Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:27.936{27B459FE-5AEA-619F-7700-000000000F02}520NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434CB92460CA2920CA861BC378C94343,SHA256=83BB6708540F1ABA74182659FEDFA604AA84C1289D4B4300EF9C4E8FFF517077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000325468Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:27.380{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AF3BA01DD2466844E32FBE7C0BBC42,SHA256=5715A14ABFC38285F9CF1D799B559678C7541EAD18AC6C3FC41F7E4A8C085131,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000373259Microsoft-Windows-Sysmon/Operationalwin-dc-266.attackrange.local-2021-11-25 10:14:24.199{27B459FE-5AE2-619F-6E00-000000000F02}3872C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-266.attackrange.local62683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000325469Microsoft-Windows-Sysmon/Operationalwin-host-61.attackrange.local-2021-11-25 10:14:28.380{99D2EDAA-5AD5-619F-7000-000000001002}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D31F91D3FAF10EED1A970FE7796DFA,SHA256=042B60F31016CF12EF192970E38CD7DB0154E00BE3D9970A24EABFEB3CF2DE6F,IMPHASH=00000000000000000000000000000000falsetrue