23542300x800000000000000082702Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:14.971{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AF2AC09A1C85101635462630926845,SHA256=A2D98DB09E5FA85652B501042BB68B13E77A7003446F70C70A68DCCB25EBA0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:14.537{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0219F4977C5F174431C77183529594,SHA256=933CF9F66EFD28AE25E799F6583BFB4C2B9FB4FA38383DA15F3745F51DD40CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:14.349{2E1864BB-FC96-629E-0B00-000000006002}628368C:\Windows\system32\lsass.exe{2E1864BB-FC7A-629E-0100-000000006002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+976d2|C:\Windows\system32\kerberos.DLL+79b14|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000264407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:15.630{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44347B98087E4DCE5242D70457CD7FD4,SHA256=225FBB98E4125AA38F265FEBBA00CBB07A306AB2F3F4404DAB8AFFA87AD5A482,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082713Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000082712Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009b601f) 13241300x800000000000000082711Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a4e-0xad8dffe9) 13241300x800000000000000082710Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a57-0x0f5267e9) 13241300x800000000000000082709Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a5f-0x7116cfe9) 13241300x800000000000000082708Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000082707Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009b601f) 13241300x800000000000000082706Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a4e-0xad8dffe9) 13241300x800000000000000082705Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a57-0x0f5267e9) 13241300x800000000000000082704Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 10:12:15.377{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a5f-0x7116cfe9) 23542300x800000000000000082703Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:15.143{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3E3835FB5F73A70375E7BEA131E5EAD0,SHA256=32F4011FEB9822C514B3E4D3AAAAE5CAC849FC0A21FA3E723684627770C73238,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:13.798{2E1864BB-FC7A-629E-0100-000000006002}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58724-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000264405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:13.798{2E1864BB-FC7A-629E-0100-000000006002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58724-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 23542300x8000000000000000264404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:15.412{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4150C55D9F615592BA5C99DDBF09D14,SHA256=14F3C0033448A7434EC57BCAFB29FB935247532866B121F217CAC4ABD7E1B941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:16.724{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6645DD2741503A6D0FB11BC8695581,SHA256=314DB2BE3A513D7AEBBDC34DF5266725919A642A67A76AA4F72E327A3CD83F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082714Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:16.283{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A74139336D95E5F6B14481E2F63F2D7,SHA256=D7E46C87D16E4AD25CE43C1045EBBDAF7C08155955C000F953E60889B013E655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:17.818{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D459AF0A62B3A0A09867E92176A3683E,SHA256=17FDF946B12B07B103742DA8AF2C8EAEEBF3E7EA866995D7AD0B9D97E938E1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082716Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:14.786{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082715Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:17.382{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1285162B303A415CE27A2D9EF4CA5B13,SHA256=A99B0C10AE1D137748A834C7BD1FC4762E21C26D47A0D27906A9CAB969547442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:18.913{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11452E8E423982768011E3A2B3C63869,SHA256=484EA8607EDCB3560DB64A64957E4A79299ADCD0128E84C3BB22114565367D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082717Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:18.476{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46BBDD7A930763EBB879E16C38945C8,SHA256=119ADBD8CA26CD7E8FC3FD5FABF8038DBA342DE022AAE6BAFACFEDE7FCDFB1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:16.516{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082718Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:19.788{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79DADB5C037795CC9B9BF6E4EAD3BEF,SHA256=CB7A04C11C169E9F23CA25D4E85F9AE2619AFAD7D01A63B4FC5EA8293B69D48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082719Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:20.882{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D7E3383344C8527281DBBEB24CD6B2,SHA256=0FDC367F541372013F55A01F4BED1BE00B29A2325B4E32C0F36F82828C46B391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:20.007{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AFD39A09B72202D16D7166097C6CD1,SHA256=93BB4F0E40143A826B37A6AEFC6DF46CFACBD194D637295B9211D809D0083561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:21.100{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F2767D0E80A9F9D4E6B233A88335B6,SHA256=77A72EDBD993C421F021BA2B2CFC4048B2C25D6D39C4DEB576426F7451A8636C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082721Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:20.681{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51685-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082720Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:22.085{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016F09E4D2FA12FE8B9881D10282317B,SHA256=372E1412B6F64AE8D8765B981EF7E0A37FC34DF159A65D8C896207EAABD64B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:22.194{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3BF9DCAF5B27497380E1879576BB9B,SHA256=9C1022237149BCB3314342A374E67DF0AE1377E50FB3758F54F654CDE83921BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082722Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:23.179{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8A074525D9A417540721D327B53B10,SHA256=9B7A1915755FD9038C9A85E2217A94CE803DC629250D14CB2DC3154B252A5DD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:21.533{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:23.288{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A040CBEFB8A20EE7A8B6EB3899ECF9CA,SHA256=A3206D95863298739D4554AA765CD3193FBAC071662B51BCFFB9A70A2792D1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082723Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:24.382{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EFD9D7BB7F3CEEDF884E6742F1B895,SHA256=2531E2C32324DB03267E7DBF212BCC8E924DA276ECA1F07AE5B8E2DE734C6941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:24.382{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D63BD6713666A36467D170DE6A659F2,SHA256=124D99794F28E7D9CFD187F4B16A1E6ECA3E27ACB348BEBA882B329073416A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082724Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:25.476{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF40CEB7BE0DA636DA4CF332D0993112,SHA256=CA4CC3AFCC7887B862925C487133E18C43E5133FAFEDEB0D833FB0ADC4159BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:25.475{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A075DA2777D423B780147FED265915ED,SHA256=B5C9A721C3418BB93C7A5F5F5901110779DE5495D67DFEC9D0F2B0B20E4FFE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082752Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-248A-629F-4805-000000006102}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082751Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082750Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082749Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082748Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082747Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082746Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082745Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082744Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082743Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082742Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-248A-629F-4805-000000006102}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082741Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.601{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-248A-629F-4805-000000006102}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082740Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.602{0A5DF930-248A-629F-4805-000000006102}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082739Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.569{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113F1B0B2E8E71B984DC7891C358E589,SHA256=ACDF8B1A8F650A913AF11EFAF9835705F5E0BF20B99566B4D30FFA8005986868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:26.585{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAAAB34A562E2C6B78FF5B7934BEA59,SHA256=98DB36AD0F71F01B2EC22D08C41D38A8132E390735C6032C21A89688D01B715D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082738Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.382{0A5DF930-248A-629F-4705-000000006102}2872832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082737Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-248A-629F-4705-000000006102}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082736Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082735Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082734Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082733Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082732Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082731Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082730Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082729Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082728Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082727Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-248A-629F-4705-000000006102}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082726Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-248A-629F-4705-000000006102}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082725Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.101{0A5DF930-248A-629F-4705-000000006102}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:26.257{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0F664B27251747DA7EFA9626F33C66,SHA256=76874F8EFFD842C8F17D07F0B98A017A7CA6CBD110EE88DF5C483DD5656F107A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:27.679{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A7965DAECDFE7CD15156A2C026D893,SHA256=4AA12A10754ED7B0875C743F7E56529BD6983192E2F4269DDA6A7AE39D7E9C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082766Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.147{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4278BA1AFF1B3B06F72A3C212E21B5E,SHA256=3B7A7A220AAB70377179097095C52BEA01C624BA8D14C0DCE0C48F0DB0842149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082765Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082764Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082763Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082762Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082761Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082760Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082759Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-248B-629F-4905-000000006102}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082758Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082757Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082756Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082755Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-248B-629F-4905-000000006102}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082754Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.101{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-248B-629F-4905-000000006102}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082753Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:27.102{0A5DF930-248B-629F-4905-000000006102}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:28.772{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26701D7B955D75FE479C4E8793EC27A,SHA256=092F14AC18C61DD9795549651FE0AE12916E0064C84DD866359A32AEC4CBF0AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082798Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-248C-629F-4B05-000000006102}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082797Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082796Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082795Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082794Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082793Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082792Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082791Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082790Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082789Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082788Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-248C-629F-4B05-000000006102}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082787Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.961{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-248C-629F-4B05-000000006102}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082786Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.962{0A5DF930-248C-629F-4B05-000000006102}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082785Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:26.712{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082784Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.758{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D30B967F5C08BF52ED7F9534656EB7E6,SHA256=1B45458E901778DFB4057655532996AFAE19CCE9C16C8BC56A07D99D6160CD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082783Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.508{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082782Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.445{0A5DF930-248C-629F-4A05-000000006102}30482308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082781Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-248C-629F-4A05-000000006102}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082780Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082779Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082778Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082777Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082776Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082775Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082774Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082773Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-248C-629F-4A05-000000006102}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082772Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082771Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082770Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-248C-629F-4A05-000000006102}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082769Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.291{0A5DF930-248C-629F-4A05-000000006102}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082768Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.289{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B922B795E88515FA3B63AE4A62D1D53,SHA256=BE0A9B0F3BF58386948B3BB0C4375CE990F3B4415CC7D8142C72F5E064F22014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082767Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.026{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-164MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:27.580{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:29.866{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A556D41062D230084615CA6A23FCB8,SHA256=102C6C7A5085B308F0DFD66DD18EDD91B221CDF35253067C4C20DCD85F0B6126,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082815Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.885{0A5DF930-248D-629F-4C05-000000006102}12964012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082814Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-248D-629F-4C05-000000006102}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082813Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082812Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082811Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082810Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082809Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082808Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082807Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082806Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082805Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082804Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-248D-629F-4C05-000000006102}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082803Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.635{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-248D-629F-4C05-000000006102}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082802Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.636{0A5DF930-248D-629F-4C05-000000006102}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082801Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.445{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E157A3A8502DB800BB54475C62F1638,SHA256=F756776FE996581801D3E233062CAB2C093FFFE62EB6C14DAD0B64C63644885B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082800Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.179{0A5DF930-248C-629F-4B05-000000006102}25481992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082799Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:29.040{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082817Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:30.182{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC1E7DD06386BAE60560AB4FED02AE5,SHA256=C3B82AE67A85C20DE9A10F5F6462026765944298EDAF319A76A35E109CCC41C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:30.166{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-165MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082816Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:28.088{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000082818Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:31.275{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0496696CE825CAF68924E7A78ACA7FC,SHA256=E7A62C204FE933D72B01B552A90982E479E2F20A5EA7B211FF1BB47F5B1381BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:31.276{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE0C3A71D7B17FA57F9474626E924176,SHA256=0DF556FEFB97D240A8D62B9491950BA2811F6350051219BEF08330D380846483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:31.169{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:31.059{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FA0FAF63A5A1EABC4081978F67360292,SHA256=8BA95972C9B39F7CDF0E2396CE161F4329965E1B0773B721D0C2F9DDE2BA40DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:31.059{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5513924EE79174794A42F3CC634895,SHA256=076EE445447750DBC39CC67E18FB63BAAFDCE49051C154570EF375CEE1EBA7FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082832Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2490-629F-4D05-000000006102}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082831Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082830Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082829Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082828Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082827Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082826Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082825Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082824Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082823Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082822Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-2490-629F-4D05-000000006102}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082821Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.963{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2490-629F-4D05-000000006102}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082820Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.964{0A5DF930-2490-629F-4D05-000000006102}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082819Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.385{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD5BE45BE33522501B39633AA6B5960,SHA256=9B08B757B31400D14C3E3DD67B11A8A00CB58405727A780CA91ADC12B398380C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:32.154{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57F045325F57DBF7FBCFC62B2ED8B18,SHA256=9A8A0785CE925D9A44F0FBBFA57C21FD43B611C2F056EF076589AB1AD6F38506,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:29.595{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58728-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:29.595{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58728-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x800000000000000082833Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:33.588{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291250DE171E54C1180DDE24741D2759,SHA256=9A0D107C5C4D166C390702127270FDF7C857001A7397103FF0CB54AAE6886C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:33.248{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BF8249B8D0BBFD2F53A9F2445C1F74,SHA256=C36722FF805A9C2D655465B7B28B2432D63263D957BAAA637D3EA2214D93C20C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082836Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:32.731{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51688-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082835Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:34.682{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7BD3E425AA4FD831CD6FB341469CA4,SHA256=B90940B4ABB0B03FDF128641E9C8F463FAD4CD559B1D246DBFE98591C85A17C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:34.342{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAF37D4335D3081A86535FAE635C12B,SHA256=64CB421EAA25121BA2448E34E461ABFEC10773C2714892588B4AC5B70FA265A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082834Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:34.041{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9A5372E6D0ED35E8D7A379816688E9B,SHA256=2111681AF9F606FA3AC2B6CD1D7149725CE2356B00E3F006AC18B19DEC5D6439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082837Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:35.775{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4AAF7EF9E2BFCEB4AD6D122528F398,SHA256=0923AE1D2F4CD7A5DC152127B97506CEB1E720ED6FE32C59C3640055B9F14BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:35.435{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE52C9874C468C88FE14DDF8C44912EA,SHA256=760B7E0B39BD76533E062B6AFBCA7621BCB1421CDC3D6786A0D1E2282FC6CC21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:32.680{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082838Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:36.870{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF1EF640A1003995ACB37BFF373EB40,SHA256=F91E96B32498261F9D10706BBB98B9C658C9E50F8DFC02116037F76D246B1C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:36.529{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD081CA8653F5903847EBF064517248B,SHA256=80A11B1CD043835841627FFE37FB72FF76C38A6BD5454B303009E3F67DCBB175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:37.623{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2E600EBF0E22EAE39B0BD4FFCB99F5,SHA256=5D1DE2FA716074F22061347DD343F2E0593FBD0707B29888635ADBB264B82168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:38.732{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78945583E0CF304C57D3C25BFF3844F,SHA256=CAC19C40DC4BF4CCF4D3BB55816549DD8F3FE39BE9EACA2CAE76BBDEF1CAAB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082839Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:38.182{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE717CDCECE1BDFED2FC00B1F8CF9916,SHA256=0241FE8B4A4F2AEB03CFDAA0061B923D06E85C123D45199AC2F11166009B9574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:39.826{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3961662FEAEA4D2D7660191E2C6F7FFC,SHA256=CEF80F90C63FED25354371576A20D20192E4F4BD4D2DBF4E835E43885032A474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082840Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:39.276{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ED63381D3C932F0A3B87D0E4D8AF6C,SHA256=27A6855B1B6E1E26D9C10EFA255C0B4B713420171DFACBC199824D066EB31B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:40.920{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F86F87C1D22368B875FBF78C19F637,SHA256=5762A45198838195AF57E4A9ECE622657684351A8A6CBED70B8E94C2F130B515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082841Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:40.370{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BF837A4DE4D70DCFCAC340256187AA,SHA256=E2D7126730D960A7873BD2D7D194EDD59B4DF78811D42B3928E9C7FC9F9D4449,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:38.540{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082843Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:41.463{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97403298CA7231E4466CE5552499CBB8,SHA256=96179BBBB415D6C50D8A8211977450C7F2579995BEDD7D40B3458EA6CA254B06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082842Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:38.762{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51689-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082844Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:42.776{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404D8D19F9120C5FA652BFEF817591A4,SHA256=D5D611712EB725A45247419B1B656241F442387FDC4FD33B58DD4EF6E0B139FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:42.482{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:42.014{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AB3E9B23957651A88957AF8F48CBB3,SHA256=E771C967A09F9A0C5658A24C44B7348AA8DEE9F4560B6159E20E701579F7D7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082845Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:43.979{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18379B9F1C3475E0115C210B60CFF19D,SHA256=7B8DD1AE21F74ED9FF24FF470EEBA1CD92939FE36D4E5F4300B5ACA204A7D3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:43.107{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EFD285D135F81745833C8A22463920,SHA256=F9536BA1BC95196CD67558D923F58B471FE1FD49C4120C2553062A79A909F90D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:41.915{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000264446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:44.201{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A9369BE7F7CD99B52EB290197104CC,SHA256=FFBEDCAAC5D016D8FB4AE5EA6D995FFAF68876CF30ECC1A5372EB2B3B8FCE729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:45.295{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221F7184F91B0B530771F49CC1842567,SHA256=A912B4E1887F1277ECFA211F4954E331E53AC930DCCCFF05970DAAA19637E931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082846Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:45.073{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7BADE4A461673073DF2227489A0F3D,SHA256=92AC7D0B5015355AA397841721CD2766CD700CF062AD4DFD2ABE2566DC2161E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:46.389{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7895020D9723B6DBA89710B9C10172D,SHA256=6030593A710F1B5C4ED4279CC1BD99FB925A4E5DB4944F17287112B52DA9B492,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082848Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:44.809{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51690-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082847Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:46.167{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD034E33F60A3B079E070D96742F203,SHA256=3CE7A2EDA2CF9A76F377AAE185BD5EEF5F90C6A9BAA5DA0530F68374C0D8F62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:47.482{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A214C1FD3D20069DE8604B5632A815,SHA256=605E86269B8EA693E83ABE1F74F9DBFEC2114EE3D15B6183B57CB4786B2B1705,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:44.555{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082849Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:47.370{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE0741E139A31EBB89775A396C01FFE,SHA256=1FB011CEB5A16365E705B71053AA72DE9CC0F7291289DAE27687B8F932B325D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:48.576{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8697B826A7AD0992626D7CC8EE545E8,SHA256=EAE7EF593A001ADDDE78DB788B50632208F7EF961BF29D24CF24D79AD2373C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082850Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:48.573{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7683EBD45D9D3F6B5EF6DB1A6B2CE4AA,SHA256=DC12EE2CB017AA3C6E82FBC8750D826E32113928C5E5E5F92F9650C861163F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082851Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:49.667{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B003E4462248944EDFA7A55A6CBF96,SHA256=90F83291E7C45DFB1FF3BE54F3119B5904CEB0C5D8A09FA7294E6B35A8BAE7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:49.670{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DADD4CC7DF08B90EBB6F753E75EFF2,SHA256=93CFE85F282685705F68368FEDA3D4F00C00703EE2E3004F154367B432DD5A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082852Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:50.979{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2554BDC254A800D6C1584AC7BA0A2F,SHA256=AABE0720FD0E49F8C3A908124E92D50763BCB591AEAA79750E0540EAC734C6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:50.764{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B21B9B4218B7E0414743F2A7A1875A,SHA256=FD91D6722982438BA1958B6EFDAB25FC57A0A35B1315A000A31C274B9F38D227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:51.857{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8794E651F10B32D85D0645C27496E6B6,SHA256=A401929A6911CE33461529598C73C4A2ADEBAF0ECC9A9AC6B165CE29363094FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.951{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2C1D1009CED20A60EDDDA4E0CAD36B,SHA256=F7CCD4E52AE0A65280C870B41FF75CA765FFAAD4933284A69BAA57797A2FD221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.904{2E1864BB-FC96-629E-0B00-000000006002}628680C:\Windows\system32\lsass.exe{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.888{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082853Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:52.182{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDED2B7C5CE1B0CD7AFA8E8A2614463,SHA256=B33CD045B54975E5CDE8E552404C3636BAFA57336660124F9162C9DF43B7F9EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:50.602{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:53.935{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B3B70C6A5633BF6B585AB7885C19E7,SHA256=2CF7B98E8D6FB3629D900D67BE24920F5C225DB1F976B0C37228A3F6C641C70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:53.920{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68397B1E8C51D0DB331EBD0352954FD1,SHA256=BB79B619D9E5017A8D49F15D6E9FF750C88C559ADDEF664625BBA8FCCFAF15A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082855Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:53.495{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07275E21865A9FAB65FD402B5E18331F,SHA256=606B9AC530D52098A10714D4B77584B0CD0B559D4BB6A23673E21601EF8630E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.998{2E1864BB-FC96-629E-0B00-000000006002}628680C:\Windows\system32\lsass.exe{2E1864BB-FC7A-629E-0100-000000006002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+976d2|C:\Windows\system32\kerberos.DLL+79b14|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x800000000000000082854Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:50.762{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51691-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082856Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:54.588{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CDA42225F2137B7619749A05B38C6E,SHA256=B6BF090E15D81DC627E76F2CFB625A3CB8E67F6683A8B5D81EFCB626AD653965,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.449{2E1864BB-FC7A-629E-0100-000000006002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58736-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000264467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.449{2E1864BB-FC7A-629E-0100-000000006002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58736-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000264466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.353{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58735-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.353{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58735-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.340{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58734-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:52.339{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58734-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x800000000000000082857Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:55.682{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC0120B6DAE741A9AEEF31A91CF34BF,SHA256=F772374244F76FD2ECDC68BDFD0FD2190FF0DC313B37B6467397FD45C6B353B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:55.029{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7EBA50F18604E3805E6579F56E05C3,SHA256=8D6BCEE26C44F342637977F5785697B04751185C99232EEB119C4FC2510DA9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082858Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:56.775{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B81262CF49AD072585146B39297DB36,SHA256=28DA77059FD0D493926A9CCA709AB0A0DB0D01859CBD845046F12202244B3C19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.842{2E1864BB-24A8-629F-DE05-000000006002}10082892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.576{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24A8-629F-DE05-000000006002}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.576{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.576{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.576{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.576{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.576{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-24A8-629F-DE05-000000006002}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.576{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24A8-629F-DE05-000000006002}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.577{2E1864BB-24A8-629F-DE05-000000006002}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.123{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC70CA8816C23D720ACEA4085B8ACD98,SHA256=7DF29DE9EC0A911FADCFAD8F02DA5946966921355D96D6A0A4E9A22BFA62BDD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.060{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24A8-629F-DD05-000000006002}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.060{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.060{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.060{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.060{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.060{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-24A8-629F-DD05-000000006002}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.060{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24A8-629F-DD05-000000006002}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:56.061{2E1864BB-24A8-629F-DD05-000000006002}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082859Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:57.869{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5BF29B1C6B495D4FAA34F02EDE7B10,SHA256=0B24983B627380AE131C8920DC2D346B1B2D1D934F0697C97F4BDC2796B42C28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.982{2E1864BB-24A9-629F-E005-000000006002}21884036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.748{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24A9-629F-E005-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.748{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-24A9-629F-E005-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.748{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24A9-629F-E005-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.749{2E1864BB-24A9-629F-E005-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000264497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:55.696{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.264{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96650F0F9E1858F592BB2F5E11C730BC,SHA256=983A8E91B4D39BD6060D91B24B213F6EE1C8D4B56F9E4F87CAE5AC457CAE0811,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.076{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24A9-629F-DF05-000000006002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.076{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.076{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.076{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.076{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.076{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-24A9-629F-DF05-000000006002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.076{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24A9-629F-DF05-000000006002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:57.077{2E1864BB-24A9-629F-DF05-000000006002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.967{2E1864BB-24AA-629F-E205-000000006002}52724332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.748{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24AA-629F-E205-000000006002}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.748{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.748{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-24AA-629F-E205-000000006002}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.748{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24AA-629F-E205-000000006002}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.749{2E1864BB-24AA-629F-E205-000000006002}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.467{2E1864BB-24AA-629F-E105-000000006002}6525668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.326{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BDBC6175147F6C844B54E80E2F584F,SHA256=14DE34385A1C0C798EA94DE6A5C66065EF4B9E043C1EF2A37AF34D1EC4132EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082860Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:58.025{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ED1C503318FF1FAC9FF0DEA340898D9B,SHA256=0F1637D8D4CC09BAA86BC697E23F82AFAE67A78048D14D2202BC55C145DD6357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.248{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24AA-629F-E105-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.248{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-24AA-629F-E105-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.248{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24AA-629F-E105-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:58.249{2E1864BB-24AA-629F-E105-000000006002}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082862Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:56.667{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51692-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082861Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:12:59.181{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAE85E4DF3EFC286A2706C91DCA858B,SHA256=BBB5FCFA2D69EA9B822D6313EB4F3AC7E50F1F3ACD5F1AD6A5C19D800BAAE2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.435{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B1E668F9252053CAA767812D896101,SHA256=4D62269DE2A146D0127F37DF5A1F1234F87D010181E2725AB83F436F3C14EC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.279{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB06A80EA2BF77AE7E5538B2057DFD61,SHA256=181866525AC0E9913C8E1683CD57A62E81336B02C304BD24D2A8E207FAD9D0F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.248{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24AB-629F-E305-000000006002}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.248{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.248{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-24AB-629F-E305-000000006002}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.248{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24AB-629F-E305-000000006002}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:12:59.249{2E1864BB-24AB-629F-E305-000000006002}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:00.529{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD72DBE234DD52EB7199828A510087E,SHA256=3A16FA30FA5B637BC1C64F5B8401727DCC22D90240C6F870501793437482E88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082863Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:00.400{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8BB731074F66E2692F52C49261B7D0,SHA256=54248625D3DDC0C3966DB09EC0B6B3B2E4DD8AF2A68FA8A5E32F0D4A18FFD530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:00.326{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=16F048091FFF5C2A4B61A50E8D2DFCFF,SHA256=7F6F61B73DEB7D2037C8472D2D710CA28BECDFA92DC813655AE9B62E91ECD52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:01.623{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBDF278CF35D73F803EAA94916093BB,SHA256=40F7D4DBEE37BDB6C595276B1D945E65DACE9A3E210775CCDAF18CD1B3577253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082864Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:01.494{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10A2480B576947115ECAEC6CBA2F6C2,SHA256=2AC6AEE35DCBAD12F06A42EA0734D85EC8C68E30F46C9B5EDE130887F6BC5B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:02.717{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBF57918224347620A3FB3CA417596A,SHA256=DFD6140576F866F3FB75014BBF08F481BF5B538F89EEB4848D43DEA0F0FC0855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082865Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:02.588{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7404C732560F13E7E8451B46F99BA2CA,SHA256=F2F415F66A48DFE926126375E086C553DE5B890687C995120BBABE9C4CF7DA58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:01.633{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58738-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:03.810{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC73DA1B1CC49C418DE007866FE032E,SHA256=E4E54028F72A7C5099060AB5C38B3CFB53E6E1BF9D2CE811FCB3F25DD97ABB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082866Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:03.681{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C324768248CCA4FDA5B5173CB92EE001,SHA256=4E48DD64720535FE5A5C41897E66748EF299236D2B3054B939B6F9A1A50070CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:03.045{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=56B8C8176C9D48ADF447BB984C9E4070,SHA256=87A57B0A5B8D4C81E5D826ABC52B065352D05058BB2C82650A07839036121C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:04.904{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D89247375D3ED384D9D1B5D3616F5B4,SHA256=06C8F8E6C12401A3DFCDE489F0EFBF28B7A901B483B8653E0E13B75F95A5A84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:04.857{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E074E5F8AF0A3AD29394E4219980FF82,SHA256=A86A876CDAE1EE6DF3CC8D10E74F11826094C93F5BFCC83D7EC2C13A0DA6E3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082868Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:04.775{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BF76D25A0B2C7A4BB5CE7F757F7B33,SHA256=D548C2217F0FA10AD2CF8EBD3B3176FB192A4372EBFB907861C87CF5B682EEA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082867Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:01.808{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51693-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082869Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:05.869{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8B8AFA160C006D28E95EDD5E429B0F,SHA256=C253F9744D5FA70D134AD56D56FF1E52B9394CAB77C045AC03BC7E93DC3E6D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:05.888{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B61D1C79D84781F2E2E9D3FB275CB7,SHA256=522B65BE584FAAC0FCC76736377AE74EDC339977FD0C8A7CDAF2B1749D8CA581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:06.982{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827E8C29D7DA4134D973C7E1A73FA6AF,SHA256=7CE181B76A396C3DC4AD0B9E0A02CFEEB1718507A932EA28A31D08E71CE340D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082870Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:07.072{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A44AD8FABB496F57989C4DEB2E2329A,SHA256=AA2A4BBB1E5260C577E46F8CA2B1AE92A191B9742C3F637F4B9167C15A23DC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082871Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:08.182{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6336225DC0FD18F0949E626C8E0491CA,SHA256=D86C3D3BF81394E9F83CCB8C7D4561C7DDB2523882C6DA3DE34858EB44E204BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:08.076{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E839CF357B08A9251A26A4A82F1BF32,SHA256=6FC6119FA807401E349CFB21967129D39159C903D205E5C9EC027E44D292D673,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082873Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:07.855{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51694-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082872Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:09.275{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEE9FD4EB767997061BEFA68E87FCD2,SHA256=BB5AD68809E3FAF91F72DF4222933738DFF66AA37F5B4F0702AD9C004F4C8F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:09.170{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D9DDFEBA420B1787590BDF73AF84FE,SHA256=BBC942B4D4D34B1AB313614EF7F21CE71EFB299888C570DA866A15A3AA7C276A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082874Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:10.478{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEBE167587DE2855BC31F28AA20CF77,SHA256=D1B64FAFC269DC3819A09F3AFB284F13D52767ED2A70C5D3E0B54CA9A9DABA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:10.263{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10352F43C09CD94A369D643DB3F096E3,SHA256=CB83D93047F1675265F900344EE3E2042B6FF8F95E398028E78CBB06744ACE4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:07.586{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082875Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:11.791{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06034644B2295C3792CC117B7143155B,SHA256=A915546E3911E21764B1E2D86F4E47DE0CF2A154CFDEE3E5730E0BBE49B7CCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.357{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1F292010401BA0A7C51AA772AD864C,SHA256=8730CB15DDEC720CD8ACDDD0F523EA877D7694BE7511A1D835F7C85E494944C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082876Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:12.884{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049DD44206042682A4D07DD4EB599C95,SHA256=637FBCAAD73A5D279E409CF2245EAAE307085C83A9D16C095F93022ADCB46DBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.920{2E1864BB-FC99-629E-1600-000000006002}13205100C:\Windows\system32\svchost.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.920{2E1864BB-FC99-629E-1600-000000006002}13201364C:\Windows\system32\svchost.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.920{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.857{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.857{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.857{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FC96-629E-0A00-000000006002}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b87d|C:\Windows\system32\lsasrv.dll+2875b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.857{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=580EA4120D03E6D4DA0B4B65E7BD7EC6,SHA256=A5F2A34E7568F27C2EFE155AA5879B4A8F0CD2C3F42DA69410F4BAA0FC638545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.857{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.842{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.842{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.795{2E1864BB-FC99-629E-1400-000000006002}10921428C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.779{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.763{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.763{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.763{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.763{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.763{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.763{2E1864BB-FC99-629E-1600-000000006002}13205100C:\Windows\system32\svchost.exe{2E1864BB-24B8-629F-E405-000000006002}1920C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.763{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.451{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F598AE1C74E6F995157E87047CAE1C,SHA256=D72B409F5802B5F1C6B977B53C572980BF251B5036D746768501AEBE9B40DAD2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000264556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:13:12.404{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\76F93978-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_76F93978-0000-0000-0000-100000000000.XML 13241300x8000000000000000264555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:13:12.388{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Config SourceDWORD (0x00000001) 13241300x8000000000000000264554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:13:12.388{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_634CD7B3-42FA-429E-8949-85C1FE2E997C.XML 10341000x8000000000000000264553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.388{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.388{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.920{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0412528AA028F5506E1F8653320445F9,SHA256=F31786066D47AEB3CD63332AB0B9306EDB10DA999547602E06B885C805C0A502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.826{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56C1C36C0A0B68ED4F70EF91AE1DB425,SHA256=85ECCF1743C8A808D2E4DE1B3251189DBE66812CDFD52E1C3BE151A31427BAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.638{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CF47063948E805F338BD90CAED8026,SHA256=20BAAD3BEB7644998547B1DC63344DB6E90CDD23E109FAEEF10AE26092F2DD0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.295{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.295{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.295{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:14.763{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1003DC80AF40298D643245786604CA7F,SHA256=14B2C8209BBA78860A1B9F701515F60EF84235AC35943279AC23987597837875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082877Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:14.088{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6CECB9EAE336AF527F68C3ACE9D5B6,SHA256=7DEE4D6A005F2668D1398E0578C8B67417A2320DC84A037716D22436F74A085C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:14.310{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:14.310{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000264597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.332{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local64012- 354300x8000000000000000264596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.324{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51725- 354300x8000000000000000264595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.324{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local62060- 354300x8000000000000000264594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.904{2E1864BB-FC99-629E-1400-000000006002}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-62039-false127.0.0.1-53domain 354300x8000000000000000264593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.882{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62039- 354300x8000000000000000264592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.882{2E1864BB-FC99-629E-1400-000000006002}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9830:65e5:6d0:ffff-62039-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000264591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.858{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local62039- 354300x8000000000000000264590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.854{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54855-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000264589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.854{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local64965- 354300x8000000000000000264588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.854{2E1864BB-FC99-629E-1400-000000006002}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local64965-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domain 354300x8000000000000000264587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.838{2E1864BB-FC99-629E-0D00-000000006002}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58740-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000264586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:11.838{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local58740-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 10341000x8000000000000000264585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:14.138{2E1864BB-FC96-629E-0B00-000000006002}628680C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:14.138{2E1864BB-FC96-629E-0B00-000000006002}6284772C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:14.138{2E1864BB-FC96-629E-0B00-000000006002}6284772C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:15.857{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94024E5A2EC727FC056E9BEF2682F7F7,SHA256=5A1F9C7FCA6EA5AAF122E63187A3DA6C9E09539858F6C2DC0FAD2F3C62AD98F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082880Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:13.714{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082879Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:15.291{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F9313735588877A2B367C33729F4D8,SHA256=145D1A11DDE0DC768ED7197DFCA6055836BF23AE9E087F3A1AA04FD3A1DDE8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.586{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58744-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:13.586{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58744-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.742{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58743-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.742{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58743-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.633{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082878Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:15.150{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FD6889276F959E0829F58FB42DF61C89,SHA256=382C9230AEB14A7BBE4D09864FB7E6F34518B1EF25FD44D7A5EBF720C35CBAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:16.951{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23329C23F36A4316A0B2E707DF748CB9,SHA256=135AAED49813AD39A323776851D0C189933DA23902F96A000EA8E7B51B0375FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082881Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:16.384{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C46381D0E90C9C1790CAE485FE7F3F,SHA256=E784A624CFF788DEE147A329E34F585B3C858C564A175A44D35BA3BD4B56034C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:12.341{00000000-0000-0000-0000-000000000000}1920<unknown process>-tcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58741-false18.66.139.69server-18-66-139-69.fra60.r.cloudfront.net443https 23542300x800000000000000082882Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:17.701{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A46E0BFBD7DCE3CB9D4DB027BDB7B8E,SHA256=252BFB9ACFF37026BFDD90929768C6EDEF34F55DD8732103A2B058086856B3AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:14.570{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local52609- 23542300x800000000000000082883Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:18.795{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F132C011FF03DE9BA0803E5596FBB274,SHA256=A7549D074240F158630765B0711CAE7C8EA1137F586517F1049960645FBD2F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:18.045{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C758AE2F2F2C4A4F552DA9827EE5B5,SHA256=32D67F1B3C368B6064665E5EE7F40FDE0E8E6F9ADEB6F1367BD0BBD732DA6D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082884Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:19.888{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BCC070480BB17F41B658EBA41A79E8,SHA256=789775976D31DF3225266BA30233EB03C8C608F952C59F162F3A29654E49D610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:19.138{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=506410B0B8E0B7006A0D151AE278050F,SHA256=8E31A2FA535A6248BF82173499D71C4EF8A8B1DD0DB4B0FA395A80121F641F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082885Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:20.982{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E708CF755709ED21B9A7EAD8CCF11B1,SHA256=6930BD612FF16B63BBDCE98B7603EBB1C36D6AFA1033D55B1D05C46F45B43F0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:18.555{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58745-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:20.232{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DA379477C7DB2FA58B37E01373B726,SHA256=3E9939D37436CC090B72B61F639F6C38145E4DFB74B7A089245F3DF3E06D2524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:21.326{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2AEAE2FA3BF0E413F5C076382726D1,SHA256=724EF089A3DCE20CFBC7E3005F5E5179388E676A5DCA686E123804C0DD40569B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082886Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:18.858{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000082887Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:22.295{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E5CAA663320979E27E6ED49C1F64E7,SHA256=0AAE2BF765B84670E29D0DEB3A27DC65A5791C36656AF383D36D16C407C9E6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:22.420{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA81A050664AD4A8050356279C31A85F,SHA256=83F989D15EB402ED15633182BDF3747F756B8C2A12791AF397A7CEE6562F775F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082888Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:23.498{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A58A648BCBBD107C87BC795CAA455D9,SHA256=71DE65497EA28D6690F9673E8F26A49497F0E5A06902A8923AD0AE66F768C6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:23.513{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4870A3D4D90C645983CD4CFF685E7188,SHA256=FB81152AE0486C85FDF2BE7D79C035E18F18B7582D9A77724BF3581CE81E1968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082889Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:24.592{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD76478BE23826CEDD7792693D46DE3,SHA256=9510082C1BDA57938D0C6A8ADC7CD66EA2C706806F020B3B1C9F4364B1536E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:24.607{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540E2347A003CFE9614C651DD0855F2B,SHA256=255C385CF71E4FE84EA30A58991E1294EF1AAC53979CCCE52579F243581885CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082890Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.904{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B216427201339C839F1BF8A83A1AB7BB,SHA256=123711577D5C3B6CAD41676C7D821D1E6801307849A250AC34DC756E78F80D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:25.701{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14DE628FF0AB53437409EE89E9E7D7A,SHA256=8A74312B356D03D2FB91B2E84DC3CDFA5F2DA08DCDCA9A696F1E6F9CEFDB80BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:26.795{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BAF092EC4D6083064D59D41FFEDB54,SHA256=EDC37F9B60D6805A0CD8B72F5C560D7A181073B77326CCF92F166095EA57F211,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082918Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:24.671{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000082917Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.732{0A5DF930-24C6-629F-4F05-000000006102}20003900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082916Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-24C6-629F-4F05-000000006102}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082915Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082914Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082913Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082912Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082911Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082910Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082909Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082908Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082907Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082906Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-24C6-629F-4F05-000000006102}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082905Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.513{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-24C6-629F-4F05-000000006102}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082904Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:26.514{0A5DF930-24C6-629F-4F05-000000006102}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082903Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-24C5-629F-4E05-000000006102}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082902Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082901Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082900Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082899Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082898Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082897Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082896Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082895Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082894Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082893Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-24C5-629F-4E05-000000006102}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082892Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.998{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-24C5-629F-4E05-000000006102}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082891Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:25.999{0A5DF930-24C5-629F-4E05-000000006102}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000264619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:24.586{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:27.888{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B3F44DD95D27348F729FB2CB162307,SHA256=B808164AE59F3B5F877A349C56D518064CF8476C0E51FB8CC22339691B7DED6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082933Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-24C7-629F-5005-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082932Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082931Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082930Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082929Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082928Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082927Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082926Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082925Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082924Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082923Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-24C7-629F-5005-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082922Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-24C7-629F-5005-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082921Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.141{0A5DF930-24C7-629F-5005-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082920Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.138{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A518501FA8C12C602E109648DC21AD,SHA256=01911FF115FBAB7F7F37B42F65309AE8F354765D1825912BC2A3AB15307E4FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082919Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:27.123{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DE0CD9142F41C8CC1C04DDAE5C6A8D5,SHA256=BA732A78035471194BE57D68666BC276218B54E1B8A149C1FFEE1CD66BFC72D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:28.982{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D04A53B357F586153DF8997833D443,SHA256=13A0769FD9275F51DE3EE7D3020FE76B7DADAC70BD620541335E964BC87A78EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082963Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-24C8-629F-5205-000000006102}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082962Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082961Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082960Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082959Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082958Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082957Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082956Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082955Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082954Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082953Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-24C8-629F-5205-000000006102}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082952Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.951{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-24C8-629F-5205-000000006102}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082951Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.952{0A5DF930-24C8-629F-5205-000000006102}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082950Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.529{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082949Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.435{0A5DF930-24C8-629F-5105-000000006102}17922092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082948Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.341{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=633CAD8614A4CC72B132DE47ACED0624,SHA256=01563630A2D6FD712FE8EAABB5133915CB2DD01C2EDD1E0730E9E1784B89B258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082947Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-24C8-629F-5105-000000006102}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082946Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082945Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082944Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082943Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082942Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082941Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082940Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082939Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082938Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-24C8-629F-5105-000000006102}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082937Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082936Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.279{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-24C8-629F-5105-000000006102}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082935Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.281{0A5DF930-24C8-629F-5105-000000006102}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082934Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.217{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AD005500B28AD7CB63156CE883662A,SHA256=4CB63DDAB6045D8676E234C229CA22194D11AEC01463544E0B1AAFF03AFDBB3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082979Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-24C9-629F-5305-000000006102}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082978Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082977Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082976Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082975Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082974Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082973Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082972Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082971Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082970Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082969Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-24C9-629F-5305-000000006102}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082968Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.836{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-24C9-629F-5305-000000006102}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082967Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.837{0A5DF930-24C9-629F-5305-000000006102}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082966Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.563{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-165MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082965Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.420{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C91085BE23FA45795C242632AD70C2,SHA256=30C3C2ECED3D036375656392382DC517D751DB3A9EDCF9AA6CDDB8E2BED3029D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082964Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:29.326{0A5DF930-24C8-629F-5205-000000006102}12121008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082983Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:30.571{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082982Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:30.430{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0A1013B6B3AFA157BE2E01FBCD56F8,SHA256=81CF72C99ECCFD84BD104F68C207BB3B5F3651FA80C549B80111FEF974A52704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:30.638{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EF522BC89ED7D7763F04B81C4C5183D5,SHA256=E8C2C4429FB72A384C4B42172EA035C4C2DD0099DBDD4753ACFA7E2F3619D19C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:30.076{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED9E08FC65EC4AA3A5AAD98AA6D1D91,SHA256=2B729DD0436EC0864A8EB8E8586BE7DF7BF8CEEA1A3A869034A6589D0A3D4744,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082981Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:28.108{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51698-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000082980Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:30.039{0A5DF930-24C9-629F-5305-000000006102}36923416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082984Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:31.524{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E30ABFF3F9123C23FFF10661D33710F,SHA256=8BACB0F5337A8EE530053905E217EF567730AA547539AF36944A34D909EEFA5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:29.648{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000264629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:29.601{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58747-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:29.601{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58747-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000264627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:31.690{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-166MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:31.327{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A4EB16DC1202FED374B2D2ACF62C71F,SHA256=5203B5FA362BA2C79BF2F6BCF7B6C556751B4859D515BCCE9C1D4EB2229F7B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:31.170{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E0B04F43971421B6E11E826CEB0993,SHA256=33AB5BCAF28A23BA2ABC76887A646AD559428BA0CAC928090F120DA13C949272,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082999Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:30.713{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51699-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000082998Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-24CC-629F-5405-000000006102}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082997Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082996Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082995Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082994Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082993Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082992Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082991Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082990Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082989Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082988Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-24CC-629F-5405-000000006102}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082987Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.930{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-24CC-629F-5405-000000006102}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082986Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.931{0A5DF930-24CC-629F-5405-000000006102}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082985Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:32.727{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A0028BE1AFFCC62A22E1C395567B11,SHA256=5890F39FE29145478F45C45BC8D92C28F56F4D94D6CA59DB6AD9B0CF93EE13F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:32.688{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:32.265{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FABE1ABBD284E27598B7656C57A7F9,SHA256=AAA42142C690B7DCB517BFD172853EC6228DE68B539438B167B4CF7357EAAF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:33.346{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C433B456B67DA5E30D5DB1EDE5776F7,SHA256=1F6B6EE20ACFE22DF35D8658F3EA70AF3EFA271DE48485772204C1B1865D3D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:34.440{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0052C4F7CACAD228A64EE4B732C6BA14,SHA256=AFCD870D524BC4A726DCC183F980B6C684A98A4C5A780603D8326B5263396E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083001Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:34.040{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3017D407F49C36792FEB8FC1262C2B1F,SHA256=46E8ABA6663E2A11F72A3C20358B1AE38AB59D36A8E4773A8954F953F44E31BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083000Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:34.008{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F79DCEC6B1D07EB886ECE84716C3EF6,SHA256=ECC891D0462F1D62959CCABCB9558822A6EC1F925CD100BB5C52BBD3D422E4ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:35.533{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF366268DEA473373B82C9F711C0DFA,SHA256=C5A0ECF0DE376369DAE2D4EDBC9020C4D5BED84999C125B51BC1DEE086A8A317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083002Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:35.133{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF496648A9529DB10C198096E652AC84,SHA256=9DEF00C70DD43907BE7D5A4FFEBAB7B3F2E8FE010D16AE11C922635CDB45972E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083003Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:36.337{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D386DAD48955B6DFCCA7E265A8FA325,SHA256=162B627B644921A70CF9C275BECCF2ED4772CBE0AA59AAA64E993C35EA40A2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:36.627{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858E14D35AAA25424A8C612451A88F85,SHA256=E6AC7AF4DDBD258B24E2F8562FCE0B2167D852CF78D0F150F5FCACB2240B1E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083004Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:37.531{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8181F4CEFE27D1FA1911523E7547660,SHA256=679912622DC3F79AC52ECDCBED0683E684A26BE84B74E7A54F2DF4FDB81A2E52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:35.606{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58749-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:37.721{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD4706CF5440BC4A229B4FEC9E52AD4,SHA256=CBEA1F33EC6C3C93132D670013FCBFE32E09D83D5562EA607EAC34D63F8E3E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083005Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:38.734{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4AEC0B20AE423FBB78BB31D70C0471,SHA256=ED8AB72E5A5C226600EB84DAC56AF4D54454139125F1595702148F2A2ACEC87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:38.815{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555803B7196621BA02A447AA0F2F53E2,SHA256=5CE8FE6FB29959D7081B3D853AD932785846AB525F42DE1E9070A794B7B8A4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083007Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:39.938{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C83411793D90EFBC3EFBC25F9E3A49,SHA256=1EB543A1B99A50471209877E4BA8A3CE1EBDA28AA5A68B5B4A49AFAC80343ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:39.908{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3BA484D60B51253C60F5798B75B40B,SHA256=931BA9CFB1B2D4508F5003A9C6D123103D72779CDF21EAAF408D3E9741CE611F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083006Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:36.735{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51700-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083008Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:41.141{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46621323F8069C63DFDB39A5BD986486,SHA256=4E90FC4518D93FD88A94116DB04297AD447485373C8D195D112621D6615631A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:41.018{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC803075A34EA7A7136BD0D189EE3C0,SHA256=1063B20B3CC56BC30BDB343B8036084991EE2F2FD641791F2EF13B74EA1BEA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083009Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:42.344{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5B6969C2BAB256C358EECE85795A14,SHA256=67FB918FD751AB58D8224854BFA6C9479CBD3227267237226F1973E18E9A6316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:42.502{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:42.112{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E17409C68FA6CBA079B711DBC7AF0C,SHA256=2660BBB980348EB2ABC573A134423E9F3B40300837ACAE2B50E6EA90E99CF0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083010Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:43.547{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE62397C58A79618E1475E0631AB0747,SHA256=2BBADB6DC7F9A5305F80F873CBCA34B64CEF8152C84B978F5A3FE251553F28AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:43.205{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C376436D87472848CC9DE9E0E31A3BF9,SHA256=2224197334C20FD91D43F4B8159CD4A16953E278C1A01FE5D2AA7B3E83515521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083011Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:44.641{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D457AE5051059F6927A481C4A6A96A4,SHA256=5AE6FC18ADD0A79F6F3C0FE1224C72A0CB340707425E52A537A64DBB4F54726F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:44.299{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E787B53AFF2CE0F3ACF2A15E0E664A6,SHA256=50A6CBA282292B167C947A56315020F70DA9B4DBACE78973BE6109882329E797,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:41.934{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000264645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:41.575{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083013Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:45.969{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6516229C93303BBE76F4E8549390CD2,SHA256=DE6107BDB73EE0FBD5EDE8C3D3C4126C8B5815BA255B05A146E89BDE0F2BEA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:45.393{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211CFCA98F9BF29C7B48A8DDE7DAF4D9,SHA256=F68D9DA0328BED442E5F3F2D45E4E46CE91553F8936116966698489CA6721290,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083012Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:42.657{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:46.487{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F07D5D79ED89CB39498E7B8B659C46,SHA256=7DD991AF7958B000A0819A31A85C4E0658D5AD634BFCDAF1E100D4F62F8B00A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:47.580{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A849AB8EB4C8BB8EBB1D936EE5C50F6,SHA256=75B7E3EE1752B93F098742A6665E7CD70879C2542EE85CB55CA57704EC615BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083014Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:47.063{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0197EB3CDA7208543690FAE7D34C3E,SHA256=F933D5DDC8FF0094C20375CF7666180B8501E7EE7921BB4D911C15EB64DB2F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:48.674{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F7496D539E0E8974B9EA9861CD18D1,SHA256=C66235B6C6960741CD1BF31633A247171A8A459DDA023C1BAF1B88D6107A174C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083015Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:48.156{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCE4789190916C1C4E00E1E86531322,SHA256=22B19D186DCE4F1D9E88EF94EC7D0AAB24007CCEA8AA4084198FD5485C8678C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083017Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:47.829{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51702-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083016Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:49.250{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4889D7C58D3F40974C545E31BF1FCA34,SHA256=141800ECF2CA22738D1718EC874C3B1F65B132A10E5135902376E70CD64275FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:49.768{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B604E191B3C2E0B9EFF52888BD4C13DC,SHA256=C3614083B42FF2A555B3748B8A972B97353CAA746BEC2F2E3449D1DB9F921A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083018Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:50.563{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6A3E89B10BD96E299A23D12B93F94E,SHA256=E6AB4A8DFA65895139EE177A8F4CA57E0D7542966458E30BFC25AB5206BBBB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:50.862{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9B10432C471E35A4562436520B3135,SHA256=69DA8CE1B0D143050798E3307D5ABC5E29BCA34A3A052EB0B7D8B52F96E8F0D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:47.527{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58752-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083019Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:51.766{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2CD0F38828620AF49A3127DA311326,SHA256=75F2DE170AA16E2603915014A2F8273E47D3C0757FD6B55AFA674D9C7775EF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:51.955{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8276AEEAC6967269EBC32B394856F4,SHA256=2D269F3AF58BB965AF79A809AB050C42DE094605C344F95527DA59DA8D9DB6C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:52.330{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083020Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:53.078{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB7014EAEACE438D228D61B71900DED,SHA256=5203CB2F04BDA9C9D73ED48B3CD8A88B1095E943D7479E109BFFBDC5F4CE07CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:53.268{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA4EDE0B7C764728B2CE935DD4CD4A2,SHA256=4B0A900F9085111E69A273ED01296A2A9B7AE61E1A88D7EE893161D017214231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083021Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:54.281{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1ADB57B3AFAB941717AAF2005CF09C0,SHA256=EAABF44EFF24AC51A30A4842D4BD6F61363364A40E261443B45ECD32BB1BEF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:54.377{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7ECDFC0820E7EE1A323F1569BA0233,SHA256=1C3AF1393A02003DE398B12D0C43519CDF4538F9F16565C7F553A2E9E0EDA688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083022Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:55.484{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B43E6467FD3B8EF83412D0815639BC,SHA256=885A0014B7B0533002091984F0329CCE9F3753943C8C0F08796BAC2EDA02F5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:55.471{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F324E8B32903B9FEE1A570D9DDF8B360,SHA256=679D60884FB7213E5B80E13F66FF3F6E3B76AF6A14D626200F8C8307F3BDF14E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:53.558{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58753-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083024Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:56.578{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED62687283FA1FAC2B57BAD2C9D7E7B,SHA256=4F0970EF37FAC0DE05136F21EE2CC87A4339740AE616D6DBC54FCAA1098948CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.737{2E1864BB-24E4-629F-E605-000000006002}28324420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.565{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24E4-629F-E605-000000006002}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.565{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-24E4-629F-E605-000000006002}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.565{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24E4-629F-E605-000000006002}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.566{2E1864BB-24E4-629F-E605-000000006002}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.455{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B82919D85DC759A9E5833004635902,SHA256=919529BC8A974EE0AF59400ADDDDA56037A04FCFFF40AFB83030D7464434159E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083023Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:53.797{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51703-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000264704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24E4-629F-E505-000000006002}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-24E4-629F-E505-000000006002}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24E4-629F-E505-000000006002}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:56.065{2E1864BB-24E4-629F-E505-000000006002}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083025Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:57.671{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A74F7DC5FEDC0A8F734707DB0CDD3B,SHA256=4C57B35B394A493C2A2E3A2746739F5FCBDA9194C66A8A5A2CC027AEAB0C7BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.971{2E1864BB-24E5-629F-E805-000000006002}45365520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.737{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24E5-629F-E805-000000006002}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.737{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-24E5-629F-E805-000000006002}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.737{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24E5-629F-E805-000000006002}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.738{2E1864BB-24E5-629F-E805-000000006002}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.549{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF9612209F49AE755788EF68FCFAF6E,SHA256=4E62E2ACD24B069B7944C961371B1A2ADC5EDAF300194A98F967B1E62C7AA07E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.237{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24E5-629F-E705-000000006002}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.237{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-24E5-629F-E705-000000006002}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.237{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24E5-629F-E705-000000006002}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.238{2E1864BB-24E5-629F-E705-000000006002}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:57.143{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FDBFAA90E4B53A25E91B5B2C632F3DE,SHA256=50B2B7B720DA3D52BBDDEEABFB949C9C927E23D5CDAF782D58566A86F5F0CD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083027Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:58.984{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7BAA40427B5C75207413D56D6BEBA9,SHA256=C2EA73C705D09E1FD31A4D22930CD3924532D5864A360E3B96DE9A1D5B4E7532,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.987{2E1864BB-24E6-629F-EA05-000000006002}37525420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.737{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24E6-629F-EA05-000000006002}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.737{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.737{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-24E6-629F-EA05-000000006002}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.737{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24E6-629F-EA05-000000006002}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.738{2E1864BB-24E6-629F-EA05-000000006002}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.643{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5014A581CA235C9B9914B160A6EB70ED,SHA256=7F283C12E75E4B62BD3BBA68CEEEF494B7AEE63D1732B89944EE6BE039EE7AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083026Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:58.671{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=78B23149823638EE3D832FD5DC5F86ED,SHA256=336C976F562791675D50AF9EEEC3A81927F3AC3A2B87BCE3B6A6F8B09FBDFC89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.534{2E1864BB-24E6-629F-E905-000000006002}43406012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.237{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24E6-629F-E905-000000006002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.237{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-24E6-629F-E905-000000006002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.237{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.237{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24E6-629F-E905-000000006002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:58.238{2E1864BB-24E6-629F-E905-000000006002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.737{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ADB57084027D4AA61EB45F87D8D7E9,SHA256=C566AC83A637321D8A272CE42E0A03D461417B18DE929C0E21CAF9BA8444AC79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.252{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-24E7-629F-EB05-000000006002}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.252{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.252{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.252{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.252{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.252{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-24E7-629F-EB05-000000006002}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.252{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-24E7-629F-EB05-000000006002}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.253{2E1864BB-24E7-629F-EB05-000000006002}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:00.940{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=12AD29F5F84D866C99C43B920AAF96FD,SHA256=3BA1377C3A3672393204DD5667BA282D3DB445B6F652BB1539A7C21E6640CF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:00.830{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB0805B826C6B645B3D2FFF70FE747E,SHA256=BEF57872582A62ACEB5CE4F9E43C9AAF9088BA194CF5411FA1BAD37415D1E344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083028Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:00.078{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B457B2203E407F6B804E0905B77A98,SHA256=63C015374849BBAFA1142FC09CBE23FE841E12D89E9DA16A4D701BB9E767EE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:01.924{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F3312BF0CF9DD20B2CC752204441E1,SHA256=241AF71417D6A0396D7E0E05AD0261933706E9DE346F4493B230ED0EB5EEC835,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083030Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:13:58.812{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083029Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:01.281{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DE1F91FF5EBE1EE0266090779C1EB5,SHA256=0464F5F1D28AC0E23337763141E8A595B628BBA9A34A1FA1391AA97686931FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083031Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:02.375{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F83EC2DEA489D168F3AEF26799ABF7,SHA256=25B20432941F9F9A237383AAF34C601DF02D0AF4A6EBE0F5B91271B16805EE12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:13:59.559{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083032Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:03.468{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07BA69505920D07F3BE956D79410141,SHA256=3B31131B8E0267EDDA00B3B80C82048D06C99FC6CA37FBCE7E7F990AEF699ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:03.049{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AB992D048DEB46FC2989CB757E320CAA,SHA256=F26C31A73DC87B14C3E4D83F9D7B993A77AC0BA7028C34127AE766C84347994A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:03.018{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A632DFB53CD60478BDAAE53528E124,SHA256=81902386B97BC6E98EF4D76BFBA4E861C4535A21F99A156C6AB4FDAAD8550892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083033Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:04.562{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8655EAF40EC5F9850C8E806B3A44889,SHA256=8BEC96DCF2816808E49A0020F116B5ABFF82DC800331DF624C8BDC8882964298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:04.112{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F13FE2D98D8FC1A40D79B9991998CE,SHA256=2DFF8F280D5E797C4A0570D916FB503BCDC66C72647B8C6DDFFF6F955543914F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083034Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:05.656{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0836B2173B687AC63D2F62E836AB0105,SHA256=F2EACC6ABB74C275BEE05FE5313B03EE50D1C2A64CBB41D11784CF375433274D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:05.205{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53490094DFC5F4B420EA4DD4DF26130,SHA256=ED8726F6BB68EB352AC615FCDA331FD5FF61C70C542D8B146B69C340472567CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083036Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:06.859{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A61E0D67E23B40DD50F35C0225110D,SHA256=70BF998B96045978A87568C7131946B464F27B14AB70E5C4D7E114BDFF98A3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:06.299{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7598860AE01E9E2183B41ED25A9725,SHA256=451E9454DB1E7ECD4B55F591E6954A5A1E7B828BD82E65C02D0C32ECD6EE7870,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083035Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:04.766{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51705-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000264772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:05.559{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58755-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:07.393{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E618087647816585B4D9B1754E1FB9FC,SHA256=59466144AF9F08F8A769E8FF9406A10853CBDE3FC4F4731A7BFD1543D4A711FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:08.487{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC8100232A1CBB0178634176A5FC772,SHA256=14CF320B276C5B187F4292D47873B56325C6866494D5B23246C0138FB2E7BE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083037Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:08.171{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4A984149C60550A3342183403AC7B7,SHA256=31344DD23B26C2A4C4319EB81E29CD776139D8F5BCD450A4AD7D18C95EF01C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:09.580{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D386ED526E584FB6467BE194E7388E4C,SHA256=3BC7B9DB2366AF4ED4876701E0ADDCC6B4E7AED85B476C2948E6206A25714159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083038Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:09.265{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C434B30F1EFD28F3D23B1A8E00CB1C00,SHA256=D2CB129D5DC644AEC8EC6D9779D37E605579F6909FE2E2A9281A00F504001FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:10.690{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CADD42CB5631F9E119A47DFBF374B8E,SHA256=CDA63E6F0A8B09B47F85730C89F274A5E20E03DDAA0A7240B97452E1DFF121F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083039Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:10.359{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDDA746F8B1135156276460DE393C35,SHA256=18FA764FB5238E891D2121BDD6273AC8FE59C4AA10BE2D22A4C76D8CDF302236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:11.783{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721EC45F3D514895F02B7A26106FEA41,SHA256=536D59DB3BCB4D94F4AC80858C0C91135732CF0D17F3E0829191059A16D4442D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083040Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:11.453{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F04284798467EFAE3F22C969A16705,SHA256=1A959B575D75DD6B4CF683C68A159D3C24D710D5F25EEEE43F985B47C90E2213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:12.877{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9054964CA2FF1A9F37A43E220AB4068,SHA256=33C49496D950332F41A9FCE73813327792D909AB2DA2F5622C6FE89EE46B8E08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083042Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:10.640{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51706-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083041Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:12.546{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27528D7A80FF4AD8BBD06ACE6DB54F96,SHA256=9858153A1C8B62DA1F98993AFA39C9E0AF049429CA4FFF4A9637EFB977943D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083043Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:13.859{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13E550EF0C62E61EB2305C61D11619D,SHA256=BF73865230C60FC90469FD4EFE946936C9A6CB26D4985578F88CAD3047F4D405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:13.971{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19AFB5BC2723209E42096CA317EB76E8,SHA256=E475A3222CC7D4BC8F14C0F920E84B92299796FD16323BD9A8CE6E587F3A4C42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:12.407{2E1864BB-FC99-629E-1400-000000006002}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58758-false41.63.96.0https-41-63-96-0.hhn.llnw.net80http 354300x8000000000000000264781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:12.395{2E1864BB-FC99-629E-1400-000000006002}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58757-false41.63.96.0https-41-63-96-0.hhn.llnw.net80http 354300x8000000000000000264780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:12.392{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local51958- 354300x8000000000000000264779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:11.527{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58756-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083045Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:15.187{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E327C1903ACAEF0613DD649277D9B17A,SHA256=306D32F092C91AF74C5B4D97C84473054339AF2CDDF44BA83D3DB798BFB990D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083044Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:15.156{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=655D19809DE921536769D520B6C40BF2,SHA256=D51E5F8F5B1A79C0D756A5CA35FA660AE62CF391F5E5E79ABA2ED0EB4CF0E903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:15.065{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBB309A141E9E6C5110E529EC8706A5,SHA256=0F41638D25D51A577361555CCEA69BE8210CE65A1F4EB0120657B4CC081B95C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083046Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:16.390{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A0028D4E8A019DEB9AEDEEADF4C6B0,SHA256=206525CACFA2684FA6D8A5F6BA0929A2D4CBA50B21F67CD3FB780DCD7152FBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:14.058{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local49451- 23542300x8000000000000000264784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:16.158{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBFEAB4773786E905F6FE9BF2FE4075,SHA256=35A6A7160D04058DD877E8934CEFC95AB0CBB9BF3ED033A99423A33001701D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083047Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:17.487{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF7041F00CBBFCC13B7F73AD0774453,SHA256=DDDC858CEB4A06520B0AD905E6309660042F086D11D3D15DD042E7A2FEA1317A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:17.252{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E14D2F0714DB60A503F80D3662BCBD,SHA256=A66B1E9E3D1CA8BD16D305A95F97CF0F3D8AE4F7727A82F89762025A94746A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083049Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:18.580{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC24C01C578E8DFB7B20A25C736FE9B,SHA256=E8EA5265A3CE2C4043AE974D0F3E4260EA016EB2163F15D931CA6B08FBFDD93A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:16.699{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58759-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000264790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:18.612{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1500-000000006002}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:18.612{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1500-000000006002}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:18.612{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1500-000000006002}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:18.346{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D6292D8DC5558DA0E941C93DBC47B4,SHA256=A11D01D6A6ED84046CC656235B8A376783273665A0EAC1C685D083F49C280A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083048Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:15.718{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51707-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083050Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:19.783{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF219DEA14298CDB1627E5A8C50D71BF,SHA256=20DC6D32BFE16321FEC4663286E2D4F97C4CE7E90AC5FC46046CF76741BEC4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:19.440{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD34649D0856168BA260C345E35D386B,SHA256=5BF64BAEFB0B6D27B745C5C169EB277225468CBCA9B857298DDE763A0F2012EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083051Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:20.877{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9740239B39A0059DC413FEDDD6175AA,SHA256=98D02584821CFD5ECCF16C731268BAD8D35ACB1A43017B74BEA4889B7A246581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:20.533{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3186D3567243E7CF412B0ABD7FC4CA0,SHA256=0F2B4F43873D81A5CCB1CA60FD5DE2B0E422E7B84D8E48E48C6F673574EA084F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:21.627{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD6DDD57D5379AEEB95C8E8E5C0A1F,SHA256=72CCE535D7FA3073E3246022D91318AF6508D0E8F3B076952F54F5312162A175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:22.721{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713525EDAD3346FFC54FB438349B6F09,SHA256=27FC8442A93155E5BE2FE1DE9C9855B9642F566678F7364151DAD0BB7E9FED51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083052Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:22.080{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB221CDA9A22665BD5746FD31D27FBA,SHA256=CCF7CDD39797FFEC5481023406A97557FF47A7EFCCB01F61693CF49F099EC790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:23.815{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85ACA4EF24C1A22702C6D20D817DA7A8,SHA256=A84E57F06F37F5B7B86D56AE446A729784525C2033F7E29A1325EFE6CAD92928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083054Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:23.393{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F69242BBDF8166D7598599EBCE249B7,SHA256=B136A1C714CC6A39937AFDC7EBF46F28129DC40776F5B9B72B08DA954D2C2388,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083053Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:20.784{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51708-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:24.909{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD50AD06737371258C4B2FCBB02C55B,SHA256=20A0065C36B1F2C9A8AA6E570B36C315104A2D5F9D324CAC9655C8981DDA5572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083055Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:24.380{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595C098D723CA18861536FAFA2F6EF38,SHA256=B989A47F35E45ED85FF3B2CE48C7BEBE22094D2AAF44FD173AD472A691A46016,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:22.558{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083056Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:25.691{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34DA879BEFCCBF3EACBAACD4CF1AF4E,SHA256=D8826221BA2978CEBB84FDF598971CAFA5C86EBF144F81DC3AEFFFA3ACEE79D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083083Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.940{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7D84D3A990E392783D2E2F8E743758,SHA256=84F77AB1D5B0FBCA7831E0F8383085DA0D010CA0B73C3345ACAD3FCAA3E3D007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:26.002{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12BE3415719ACA77C141A7DF33AA094,SHA256=5AFE8F6D58E11F60F3277980C57A5C668B834420367135313602776B90245634,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083082Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2502-629F-5605-000000006102}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083081Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083080Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083079Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083078Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083077Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083076Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083075Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083074Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083073Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083072Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-2502-629F-5605-000000006102}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083071Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2502-629F-5605-000000006102}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083070Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.644{0A5DF930-2502-629F-5605-000000006102}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083069Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2502-629F-5505-000000006102}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083068Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083067Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083066Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083065Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083064Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083063Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083062Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083061Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083060Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083059Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-2502-629F-5505-000000006102}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083058Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.002{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2502-629F-5505-000000006102}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083057Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.003{0A5DF930-2502-629F-5505-000000006102}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083099Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.987{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=303D2158EF146596E7DB5A2496BC29F0,SHA256=8090092988A6062EC744B98BCCB676A245DA6E5036C0F0618BDB5D384579E1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:27.096{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DC82A715A30918EE93FD0A39596C66,SHA256=0E2B68D6C8D190969BF21992DBD473F61D26BF754BAF811205805D7066920569,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083098Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.346{0A5DF930-2503-629F-5705-000000006102}5123524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083097Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.174{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDDEB758C965B2E011E16E9CE6ADFCA9,SHA256=0B76CD255FCBDA0CCC668CB5B97CDFE788D83DF355B938DE2E2BBA46EE345FF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083096Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2503-629F-5705-000000006102}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083095Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083094Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083093Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083092Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083091Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083090Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083089Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083088Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083087Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083086Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-2503-629F-5705-000000006102}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083085Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.143{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2503-629F-5705-000000006102}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083084Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:27.144{0A5DF930-2503-629F-5705-000000006102}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.862{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.862{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.862{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.862{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.862{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.862{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.862{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000264801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.190{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96DA7591C19636A107C836F1799CB84,SHA256=45915529B172804953AFC79BF54E40C43B40A8035BD376FEFDDA7721EF16721A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083129Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2504-629F-5905-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083128Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083127Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083126Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083125Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083124Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083123Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083122Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083121Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083120Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083119Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-2504-629F-5905-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083118Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.799{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2504-629F-5905-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083117Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.800{0A5DF930-2504-629F-5905-000000006102}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083116Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:26.643{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51709-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000083115Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.549{0A5DF930-2504-629F-5805-000000006102}30762396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083114Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.549{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083113Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2504-629F-5805-000000006102}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083112Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083111Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083110Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083109Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083108Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083107Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083106Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083105Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083104Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083103Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-2504-629F-5805-000000006102}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083102Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2504-629F-5805-000000006102}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083101Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.284{0A5DF930-2504-629F-5805-000000006102}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083100Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.018{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67FF229799B343FA0BDAF189CA57DFF,SHA256=ADEB5D2B0C553BB8453F00FCA95ACBEC20B746BA2C4F9424E1668B032C81A949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:29.283{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93543777FFA922997BE27872C304B55,SHA256=BBDE808490CD02E6ED3A2BAD4D25C9B8B3CCFACC19DCCBAEB1FB98C19FC879D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083145Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.618{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374DC36D62E6C069557A300FC90B57B0,SHA256=5388D8EFB7F349BE7CC3452483BA60DF8E0D90222D6F5DBCC07A7432A2923016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083144Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.549{0A5DF930-2505-629F-5A05-000000006102}11683380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083143Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2505-629F-5A05-000000006102}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083142Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083141Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083140Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083139Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083138Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083137Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083136Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083135Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083134Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-2505-629F-5A05-000000006102}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083133Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083132Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.299{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2505-629F-5A05-000000006102}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083131Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.300{0A5DF930-2505-629F-5A05-000000006102}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083130Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:29.033{0A5DF930-2504-629F-5905-000000006102}932956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083147Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:28.128{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51710-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000083146Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:30.549{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92540B5252EB7971AA2A8E8073294B62,SHA256=1B85E53F59115349D293F37B188ABD5296B682A3C507E68D9003BB0F1BB8F548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:30.377{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CB3E3DF5BAD0D329EBE36B314F0947,SHA256=5754F4C9C476D0AB68CB0E3763D7BD70B733B882BBC2A2821CE03D982456DBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083149Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:31.646{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD5842630EE12489E370A02ED3B12F0,SHA256=727EC52F46C76A763DFEEB68BC565AAAFC7EEA1DC77B0D66108F6C74415472A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.471{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18447ADF9387E2BA0F5E6225B854BF10,SHA256=C06BE0204606BEDB40B4ED975E0979A8BD8D3A2937DA91F8F23B761CEFA339F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083148Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:31.101{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-166MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.299{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E022364C34F1F686A3FD4DA8280B8A92,SHA256=444A72EC7EC88733A62CF2AF2210DDAD952DC9B0838A1F633A3B1D57E0FA5292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.299{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=78FCC0830265EC657F42A07E5C9C7026,SHA256=00E241A2FFF92450080C588F543C42E6F959AB27357365E4F6B80EE2175E27DA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000264833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=37ED3AD42C1D2E712097DF06A1CD0FD8203B3C883288EF2E9E791966E537886D 13241300x8000000000000000264832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000264831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local2022-06-07 10:14:31.252C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=37ED3AD42C1D2E712097DF06A1CD0FD8203B3C883288EF2E9E791966E537886D 13241300x8000000000000000264830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000264829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000264828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000264827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000264826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000264825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000264824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 10:14:31.252{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000264823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 10:14:31.237{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000264822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 10:14:31.237{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000264821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 10:14:31.237{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000264820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.237{2E1864BB-FC96-629E-0B00-000000006002}6286016C:\Windows\system32\lsass.exe{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.190{2E1864BB-0DF4-629F-1403-000000006002}55686068C:\Windows\system32\conhost.exe{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.190{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.190{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.190{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.190{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.190{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.190{2E1864BB-0DF4-629F-1303-000000006002}5045116C:\Windows\system32\cmd.exe{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:31.196{2E1864BB-2507-629F-EC05-000000006002}5908C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 354300x8000000000000000264811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:28.511{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58761-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000083164Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2508-629F-5B05-000000006102}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083163Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083162Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083161Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083160Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083159Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083158Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083157Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083156Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083155Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083154Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-2508-629F-5B05-000000006102}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083153Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.928{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2508-629F-5B05-000000006102}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083152Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.929{0A5DF930-2508-629F-5B05-000000006102}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083151Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.740{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03F1D885BEBDDC279386848C5726D0B,SHA256=3D47871A8A84D32A9D7A92E00F089EB03C50BC63DA6443F1F236EBF229B83E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:32.580{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8B5E35AF927D2C4DCE281E0725DEFD,SHA256=CA17C2D8E938024FFABFEDF0A0E119F06B69AF1140A923CA9FECDD2307DB1B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083150Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:32.100{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:29.605{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58762-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000264837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:29.605{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58762-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x800000000000000083166Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:33.834{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569E7B8F2DEC86626E04F9B4D4CF9B0A,SHA256=E94A81E924DD3F01D6022C80F91EF2908DDA765E0F14BC397AB15F7C262176FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:33.668{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148426DF96B20DA4CAC260BB73A6D0A6,SHA256=6D9D81125C72AA5180AC4736268BB6C341ED233CF19C705C355F429221BF0E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083165Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:31.693{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51711-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:33.212{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-167MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:34.751{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4552836D954EDDA8C9D64A9D01F4C1C4,SHA256=560A145727063A44F3661592836E66DFE9B95235B247C912EA40417B8C51B06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083167Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:34.053{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A59EB01D8DCAB3B662E691FC1ECEBEAA,SHA256=A5F0EBE5047276063481BBBE49D6CA5352178076D7E23D7B4A551F8237190BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:34.216{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.845{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EE7AE45705EEDF866E725C1771149B,SHA256=959561E0B16FB665F1548BADEB37DF1C1087B7DDA56342057C9DB063419B87F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083168Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:35.147{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7299F2763C099FA029317855AB7588,SHA256=0B505B7AAD58AEEF49FB4C835D8E5E0D860B0C7B415661AB909924A0266D2442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.110{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.110{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.110{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.095{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.095{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.095{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:35.095{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083169Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:36.459{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69103E5714F66D8DC631BF33A9CE3A0B,SHA256=3F6DCA9D1353221FA7D034AFD2040B7D24D3374E4AF34854A1FFA0CE79939282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:36.938{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11B8497F22B2EDC98C70821B308404A,SHA256=B3321811501174811BBEB508F955C0852B5359539737E23DD9014ED518A5DCA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:34.525{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083170Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:37.662{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8ACEF5C95C4A1C9D9CECC8805D70E4,SHA256=36F0B13FFA871BCC1AB7AC04B03F3441B221E03238371F4806033233D3182664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.782{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FFBD5ACB0BE66A8B685C8646550016,SHA256=19FB582899104DDDA1D0378C99C7F428651DD599CCE93526767F2BCA92FA0E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.766{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E66655EDFABAE9869A1595904DF33E9,SHA256=2A9926FBC7B53ED1E1AE63693A4D1B791B401453B4D6D5A5B46EB6725C660998,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000264997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.localT1060,RunKeyDeleteValue2022-06-07 10:14:37.720{2E1864BB-250D-629F-FC05-000000006002}2732C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender 10341000x8000000000000000264996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.720{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-FC05-000000006002}2732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.704{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.704{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.704{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.704{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-FC05-000000006002}2732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.704{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.704{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-FC05-000000006002}2732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.713{2E1864BB-250D-629F-FC05-000000006002}2732C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000264988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 10:14:37.704{2E1864BB-250D-629F-FB05-000000006002}4592C:\Windows\system32\reg.exeHKU\S-1-5-21-2288555880-4262873989-2564540558-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender 10341000x8000000000000000264987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.688{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-FB05-000000006002}4592C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.673{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.673{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.673{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.673{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.673{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-FB05-000000006002}4592C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.657{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-FB05-000000006002}4592C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.668{2E1864BB-250D-629F-FB05-000000006002}4592C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000264979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 10:14:37.657{2E1864BB-250D-629F-FA05-000000006002}4272C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\Windows Defender 10341000x8000000000000000264978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.642{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-FA05-000000006002}4272C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.626{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.626{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.626{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.626{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-FA05-000000006002}4272C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.626{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.626{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-FA05-000000006002}4272C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.636{2E1864BB-250D-629F-FA05-000000006002}4272C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000264970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 10:14:37.580{00000000-0000-0000-0000-000000000000}4496C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender 10341000x8000000000000000264969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.580{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F905-000000006002}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.580{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.580{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.580{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.580{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.580{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F905-000000006002}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.580{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F905-000000006002}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.584{2E1864BB-250D-629F-F905-000000006002}4496C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000264961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 10:14:37.565{00000000-0000-0000-0000-000000000000}5904C:\Windows\system32\reg.exeHKCR\Drive\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000264960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.565{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F805-000000006002}5904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.565{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.565{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F805-000000006002}5904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.565{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F805-000000006002}5904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.570{2E1864BB-250D-629F-F805-000000006002}5904C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000264952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 10:14:37.548{2E1864BB-250D-629F-F705-000000006002}4620C:\Windows\system32\reg.exeHKCR\Directory\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000264951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.532{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F705-000000006002}4620C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.532{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F705-000000006002}4620C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.532{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.532{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.532{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.532{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.532{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F705-000000006002}4620C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.540{2E1864BB-250D-629F-F705-000000006002}4620C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000264943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 10:14:37.517{2E1864BB-250D-629F-F605-000000006002}4912C:\Windows\system32\reg.exeHKCR\*\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000264942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.517{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F605-000000006002}4912C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.501{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.501{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.501{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.501{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.485{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F605-000000006002}4912C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.485{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F605-000000006002}4912C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.499{2E1864BB-250D-629F-F605-000000006002}4912C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.localT1060,RunKeySetValue2022-06-07 10:14:37.485{2E1864BB-250D-629F-F505-000000006002}4476C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender(Empty) 10341000x8000000000000000264933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.485{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F505-000000006002}4476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.485{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.485{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.485{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.485{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.470{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F505-000000006002}4476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.470{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F505-000000006002}4476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.466{2E1864BB-250D-629F-F505-000000006002}4476C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000264925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.454{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000264924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.454{2E1864BB-250D-629F-F405-000000006002}2084C:\Windows\system32\reg.exeHKU\S-1-5-21-2288555880-4262873989-2564540558-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender(Empty) 10341000x8000000000000000264923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.454{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.454{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.454{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.439{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2084C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.439{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2084C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.439{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2084C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.447{2E1864BB-250D-629F-F405-000000006002}2084C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.439{2E1864BB-250D-629F-F305-000000006002}3816C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\Windows Defender(Empty) 10341000x8000000000000000264915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3816C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F305-000000006002}3816C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F305-000000006002}3816C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.423{2E1864BB-250D-629F-F305-000000006002}3816C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.407{2E1864BB-250D-629F-F205-000000006002}5852C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger\StartDWORD (0x00000000) 10341000x8000000000000000264906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.392{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F205-000000006002}5852C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.392{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.392{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.392{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F205-000000006002}5852C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.392{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.392{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F205-000000006002}5852C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.392{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.386{2E1864BB-250D-629F-F205-000000006002}5852C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.360{2E1864BB-250D-629F-F105-000000006002}5344C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger\StartDWORD (0x00000000) 10341000x8000000000000000264897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F105-000000006002}5344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F105-000000006002}5344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F105-000000006002}5344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.360{2E1864BB-250D-629F-F105-000000006002}5344C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.345{2E1864BB-250D-629F-F005-000000006002}6076C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\(Default)(Empty) 10341000x8000000000000000264888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.345{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-F005-000000006002}6076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.329{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.329{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.329{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.329{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.329{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-F005-000000006002}6076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.329{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-F005-000000006002}6076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.340{2E1864BB-250D-629F-F005-000000006002}6076C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.313{2E1864BB-250D-629F-EF05-000000006002}4204C:\Windows\system32\reg.exeHKCR\Drive\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000264879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.313{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-EF05-000000006002}4204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.298{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.298{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.298{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.298{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.298{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-EF05-000000006002}4204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.298{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-EF05-000000006002}4204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.309{2E1864BB-250D-629F-EF05-000000006002}4204C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.282{2E1864BB-250D-629F-EE05-000000006002}844C:\Windows\system32\reg.exeHKCR\Directory\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000264870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.282{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-EE05-000000006002}844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.282{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.282{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.282{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.282{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.282{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-EE05-000000006002}844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.282{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-EE05-000000006002}844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.281{2E1864BB-250D-629F-EE05-000000006002}844C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000264862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:37.266{2E1864BB-250D-629F-ED05-000000006002}1376C:\Windows\system32\reg.exeHKCR\*\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000264861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.251{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-250D-629F-ED05-000000006002}1376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.251{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-250D-629F-ED05-000000006002}1376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000264855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.251{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-250D-629F-ED05-000000006002}1376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000264854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:37.258{2E1864BB-250D-629F-ED05-000000006002}1376C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\*\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000083171Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:38.865{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07499D5375B292BBE73190EB2B90CD5F,SHA256=60D711D380F13B3F41C581F6F1BF9F4A7F9222E637C1DEEB1EE20A096E13CCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:38.391{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A886534611B5C65B264D8C7DB35A7A2C,SHA256=9737A079A8CBFBFF11010C82042CF0C661ABC617A59E74F4F387E209B2FE7BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:38.001{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B23A204D10B532386D18AE2AAC99CA1,SHA256=C3EF83195F05458520807D56F31DE7DA5CCCE5BB8F9273CCB0E23962D1EC492F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083172Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:39.958{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B7B0A7D6661D994EA23E9D298D212C,SHA256=A3515309F01D04B924B88957FB71E061D8E5FEAA95A695FBD1B23E8321A759CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:39.095{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB0653BC85FF1EA8FD4332045534618,SHA256=50C9CE5566B7B0DD9C73DA5F5F0389362EACBFAF02AEE90A507E6B75AD903380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:40.188{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943D34D18AF8ED5CE666D02AB22BFAE9,SHA256=D3AC0888F7446DFAA54DCB6891123C74BDA137D162432FD83B1265AB9E869A36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083173Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:36.802{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51712-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000265005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:39.572{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:41.282{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ACB3BA857309B1338FA8C2053F94DC,SHA256=A9C6174038C2B77AF326F7F29394C34FA0CECC196CDBE3D0339ED6B08FEB7B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083174Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:41.053{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B49FB028C94C09C5E2BE5A939A314B,SHA256=4777147F6551CD8AD3A0F16F6013A0E0B740293C4831E5505A3DDCA3E3ACA8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:42.532{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:42.376{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91199207A7D6FCEA0D011640CFE0F70A,SHA256=8356FD65842D4A25E6532F1C5A80C8D8866F81227F90F46A614E934E051D4692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083175Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:42.256{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EDB81945DDB5DF94137A1A07FDB7BE,SHA256=A4B5FB51F9974F2D8CA946AFB0EBA2D81A08E7C26B1CC4BE584EA271AE61AD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:43.470{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABAE4C9AAFC7893B53422122486EC2C,SHA256=1F42AD0C7AE7797F7F7A16B04A5080E5D286270AF18D90CD792310312A67F1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083176Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:43.568{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF97B153A60A7CF7C9CEC8DA7B1DB7C5,SHA256=E40FE8B85DF4746D1B766833FFE59595D56697AF27E9A2B0037084970C7FC1F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:41.963{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58765-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000265009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:44.563{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA273CBE2C8F1FC2C1438ADFA7D2498B,SHA256=21933C3842E96F2232202150415B2EA2F053FD2D2B51BF58C58EFB7D6903CF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083178Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:44.661{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054DB24807F3852DA6ACED4158B5D1B4,SHA256=E84E542A1FBBF03145830C948B0B0EEF2100761AD3C0436729045515B95B4CAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083177Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:41.836{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51713-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:45.657{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD82FEF265851ABA5A215EBB93BEF2D,SHA256=E56978268CCA5F0F4B6C7A17A4A66300EC28808B32F217CFD4865D83671FF268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083179Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:45.865{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB29115D60EC4B790DD2ACD24F4F929,SHA256=96024F94391B2F1E515940272185EC622330C9FECAE45A66A19356DBF31FDC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083180Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:46.958{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874414EB3EBE2CB0D18D129D8901B36F,SHA256=BDBEACCCCE87410A2285BAA612D831C04004CFE90D12B064E42DC9A4F6A427BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:46.751{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F39CFCE084280FA57F01EFE81F97371,SHA256=98FAA9AE718A71FA7F780D18CD05C8193D4BA5F8DA3676FC7569F3AF1884729F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:47.845{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D3D4A868886E57211206ED3EF7F424,SHA256=C582C7A18AAC6345F328D485C5879ED335DE183E11B7A38126F647D65C49DC37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:45.541{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:48.938{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B047FD5744FA323BB8DCC28BA4A0564,SHA256=15E78FC98C793365B40051736D5F4826717FE8886246092107025D849EAD7AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083181Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:48.271{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E6DC403EBD685B90E176A927DEC873,SHA256=B8E1DF8AC0EB3F9E5B1DA104A9AFCA86410D2FBB24E7015FEB16DB67D592B25D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000265024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000265023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009ee87b) 13241300x8000000000000000265022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a4f-0x087ee069) 13241300x8000000000000000265021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a57-0x6a434869) 13241300x8000000000000000265020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a5f-0xcc07b069) 13241300x8000000000000000265019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000265018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009ee87b) 13241300x8000000000000000265017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a4f-0x087ee069) 13241300x8000000000000000265016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a57-0x6a434869) 13241300x8000000000000000265015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 10:14:48.048{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a5f-0xcc07b069) 354300x800000000000000083183Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:47.786{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51714-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083182Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:49.474{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB807A8BA8E1949A4E53DDB3605B9635,SHA256=D395DCD70254FB903C35D3B8FAEF20925DE0BD55370EFE3735A0A229747C9F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083184Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:50.568{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260C4DF0B3BCC73A6A5C41A6E3EA47DD,SHA256=35FCBA556DAAD26F8ADA9322BE86B8F3A282BD2A19EAB94B38D0099D79A34FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:50.032{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9A63F7A9C5B0C9EF4F7F62167D613E,SHA256=4565DBD9ADC1F0CD8D92290AE0AC9BDAD7CD62A187C9B24A89741394C9F353C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083185Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:51.771{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B49FB73424D5A3216028D00833A5843,SHA256=46AFF03AE22BFE8C2AFD3009634699EC7A32D4EFB533F19CC2FE736ABF8799D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:51.126{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3574A65B5CA2CDE81896C4DB872ADE,SHA256=F3D5606C4E6260027A9ABDC2CEE00353F486F303306EA89E7974FDCA0B97FA8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083186Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:52.865{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A460F366F52D06E865F04C7F7956CFC2,SHA256=59F2CC79CF048276B10B055E8B0C2317B2909355E9F4FB4DADC9614BB1D9AC2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:50.541{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58767-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:52.220{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4646AD950F6A085617959F19463EB5,SHA256=3B812FB3AACBDD24EC3C9D9CF7F3113FEAB6C83EB2FA2330DF22499E6C1BEEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083187Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:53.958{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED86692065DEC90FA9BFB42706008D9,SHA256=AB8F6D4EDC038679CA67F2A8FE1919C8A26FB37E47FF1A76BD5EBF091C0EB86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:53.313{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9CA32A72CAF1D51AAE079A6054FE69,SHA256=3EC5C058CFD7499C9B8A457221A7E0929FD2A831CA7487822EA9F3961C14FE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:54.423{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CD1AD50F77625133B7A7098D9E6412,SHA256=69D64453F9D47434C6C390C8A5B049246CD385AC906BB763A5B0B4E55059FD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:55.516{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF4845D27AAD4104D015D5F5397362B,SHA256=890BEB3EC50537045C8748BFEF9E780A9B9FAC9BDD793D0C18AD85A5F6AB4CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083188Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:55.271{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9992B9D1ACAB61844477923D8B43927,SHA256=45788325C55E01224EA15C9871A8D055B1803E5F049F3702B3AC47BD611A59B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083190Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:53.833{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083189Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:56.474{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8855DADF8896B934E17CC503C9A122B,SHA256=D3779D6C2C3CC23F16A3A87545CFD4DEBAF93619AC32C084D18F79BFE86DDFB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.907{2E1864BB-2520-629F-FE05-000000006002}56405012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.735{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2520-629F-FE05-000000006002}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.735{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.735{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.735{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.735{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.735{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-2520-629F-FE05-000000006002}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.735{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2520-629F-FE05-000000006002}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.736{2E1864BB-2520-629F-FE05-000000006002}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.610{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8F956D98C5BBC6992E9FF6A8D0ACB3,SHA256=6D1714CA607E68AB3804F5B37CF5B73C1B7C9833CD9E7A772347BDE9CBA684E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.063{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2520-629F-FD05-000000006002}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.063{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.063{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.063{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.063{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.063{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-2520-629F-FD05-000000006002}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.063{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2520-629F-FD05-000000006002}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:56.064{2E1864BB-2520-629F-FD05-000000006002}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.891{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2521-629F-0006-000000006002}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.891{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.891{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.891{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.891{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.891{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-2521-629F-0006-000000006002}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.891{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2521-629F-0006-000000006002}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.893{2E1864BB-2521-629F-0006-000000006002}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.704{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCEA1C896FCF72F958ECD9DD1A6638D,SHA256=E55F010178AAA6A13ABC6718878EAAA2B7EC99962E3338E98FEA9BA47D001348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083191Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:57.787{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F67B40927FFB1E96FB688786C656E40,SHA256=679EE3B09C59D4600BF50A0F26ED76A04DB33F0B8C41DC7FFD23FDF8A329A26E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.251{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2521-629F-FF05-000000006002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.251{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.251{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-2521-629F-FF05-000000006002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.251{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2521-629F-FF05-000000006002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.252{2E1864BB-2521-629F-FF05-000000006002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:57.220{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=654BBDCED205AA60ED6B85165402C0BC,SHA256=8A805269AEF5E44FB3DEC5AC76B4C0DE8AA329418A7F77CF43D00BF81B61CE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083193Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:58.990{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80219866C5C4486B2847B33E576C792E,SHA256=67315A2297FEAF62C6BB51BC319B4E7C7A2DEBB18C04450B07D7A884907DBC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.907{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5067E2FF86F73F572195307867D804,SHA256=D10159D4A1138C5C11C2C6F210307336AB459F889AE8F57DE222F04914FE9C7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.813{2E1864BB-2522-629F-0106-000000006002}58844212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.516{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2522-629F-0106-000000006002}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.516{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-2522-629F-0106-000000006002}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.516{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2522-629F-0106-000000006002}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.517{2E1864BB-2522-629F-0106-000000006002}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:58.079{2E1864BB-2521-629F-0006-000000006002}53844652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000265069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:55.541{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083192Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:58.287{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=021352594303844EDF6EB6124A860BD5,SHA256=9829CF6AD7EA8ED42B301B6E79A9803F4B772695858B319C7532991DE8F03F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.891{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86AF3D8204D30E53B3A6DD1CFE9E288,SHA256=C5B5B89AF3C58EFFBD16F04D3590689145A089D09A84478C1FB638282A70A8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.516{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2523-629F-0306-000000006002}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.516{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.516{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-2523-629F-0306-000000006002}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.516{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2523-629F-0306-000000006002}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.517{2E1864BB-2523-629F-0306-000000006002}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.235{2E1864BB-2523-629F-0206-000000006002}11361452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.016{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2523-629F-0206-000000006002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.016{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.016{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.016{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.016{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.016{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-2523-629F-0206-000000006002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.016{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2523-629F-0206-000000006002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:14:59.017{2E1864BB-2523-629F-0206-000000006002}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:00.985{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF96D4B23AA86547438E4E39AC39805,SHA256=141D956C041BC476754E8A4CE1988ED9A09235605252655DD3DFFC8C93CB5C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083195Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:14:58.833{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083194Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:00.193{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039360ADA067DD8A4A83E9B0792E51E6,SHA256=7668FBCD58DCF54C73CD884A4641443079B9166C65AEAFAC17982950F58C50D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:00.563{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7E0D8AADCBB1855EE5F0F246F0D0B1B5,SHA256=C4FC0E8618C9D99463AAF1D544923E35141BB0E33FA7814B05A11D8BB1EA9FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083196Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:01.506{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0278D73C683062BCD988BCB133684BC,SHA256=6C5E1FAA7CA84E71F4B2C964C698DAB13EDC73CF1B8EEF80179107F53F652916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083197Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:02.599{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3EF753BB217F4B73ED5487549521A3,SHA256=9CE53AACE1DF607036152696207A68628DBDFBDD07A125BB9096FB19A842E10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:02.079{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9D586DE9D38F7A7A10FF4BB22236B0,SHA256=D8F283B5E90DD02D8FDB7FE408203483E3A0E134F94C7CFC8BA32CD27FF99185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083198Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:03.802{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A206114B485B5FC2B0EFF81B1B845AC8,SHA256=34C072165453B7DCACE89249E30A75504C6B833E574FD9D6AA5B718433D8DDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:03.173{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F019696F02779A4EB6D1E8691BCFC4B,SHA256=9F0C62D6C3885177FA9B1E78DDED59CF64D8ED6184A2E746492B5B1BCCF1BACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:03.063{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=89CFCAB6584EE5C0FCD7A9BFDF469664,SHA256=5844A0CA27312B4379248FD34B1EDE0E1F13A2C1502701B9520B921B01D5B867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:04.266{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7B24E416C884DAA953537D0C8D8636,SHA256=EB67CE09E4F79F2A56A26D0913BA8C63195CFF060EC187E0CC3ECAD71AD29DAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:01.509{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:05.360{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BFB9A5B8123F6EBF16BFB21894009F,SHA256=117FB7AF8716187F9B98956462504D810B397DF46D3428CF9E0AE06B73893B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083199Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:05.115{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5278F1E370ABAA9C0FCDC905AF134D35,SHA256=FE95822B9F4C13B58B5E6F892B72BB76B567A036999C5AE34B2635F6BF759740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:06.470{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1425E808268A633E6588717E16CCA1C5,SHA256=4987E2CEFD1E7A2FDC8929EAECC986B248EA3E36DBC294FEEE9DBFF7AF2DF5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083200Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:06.209{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18A3DD4766155805D8802EFD02944BB,SHA256=EF7662B45261F6B00EAD66E8C316F0521CD7E299CC8D1ED80D20893366A96141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:07.563{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A2BE9A8A259ADF5FA3C29840ADFDF0,SHA256=AC74413E1B2136817A3D160DC1BBF56938CB74F52B9C837B108167C4CA2FDF07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083202Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:04.677{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083201Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:07.302{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C0FB7DFDA1EA9CADC079B6CEB9EAD1,SHA256=DD2DCBABF2AFA54950A2B8647D14FBB60DCAE81EBE3A0CE0AC149C8B0DBBD738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:08.657{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D3109BC8F1D386BAC50B2E10D6CFAE,SHA256=8DD85269B542C137EAFC0913EB019DC9C10E7488E45CDECCAE8F6739954B7D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083203Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:08.506{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D79349A502410FABC09F0F568E9FB79,SHA256=2E8ED3EC6EF7B2BE143F605D9A8B7587EBA5DF023DEE0D05F1FDA838762CC4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:09.751{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0B061B8EE7EDBE6E118D6596722244,SHA256=83C4325DC4DCDB37DDE9672BB3EE33F849F90FC99B1FC9CAADF4A8A0C0B27F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083204Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:09.599{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB70FF0B7B6BE5C3524E559B65C696,SHA256=0EDC7FFBB0B83D3BAB56832EE69428F9B0679AC93DC4F90E5A1C33A330CC14AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:06.634{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58770-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:10.845{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46EB96C70071CD37F020024F372583A,SHA256=D2FA95DDEA0B74BCD196F983BDBAD4979EFBCD5A5BE5174EBF5B75D4EC284A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083205Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:10.802{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA897BDBC5028DAC3465E86BDDA6DEDA,SHA256=00155FD9DFC74A50C7B8AD0F6C6BF7B02569CBE2532BA11D53825323DC0A85D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083206Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:11.896{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEF4AFB0F38BD827A259E711CEA3284,SHA256=82898A60A97B5AF44306B45794F946EBE342168561ABB813C56C73F84B760E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:11.938{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4B4BF234B2E89DED61C16D5F38A731,SHA256=87B92475957376D56A3907AEB7E03B152B3F10519363222E24B42C3C3D1139A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083208Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:12.990{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491849227BA12164D2E56A343C0A06F2,SHA256=724066C83B40B4DAE86EAD4AFF5653992F0788C171D44887E45BB53CB7FF0E3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083207Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:09.693{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51718-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000265121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.376{2E1864BB-FCD7-629E-9400-000000006002}50243080C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.376{2E1864BB-FCD7-629E-9400-000000006002}50243080C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.376{2E1864BB-FCD7-629E-9400-000000006002}50243080C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000265114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:13.032{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49BB7A08C2ADA59C956A20436E8304B,SHA256=435D6C4CAF129E6413231BEA05423D2FE52437A1C023537A3697DAD3F2082688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083209Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:14.084{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1065EB6F0E6B61D65DB1B7CC57361C,SHA256=0403995D55050717ADCD39576DCC8CE7B7B3BDC7F2F893A564099ABC10B67CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:14.126{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB197701002577F567BB090AAD5038D,SHA256=EDBE301DD6EFB2EC03870F1BF1A6D6929CF4A58B7FABEC5A24F8874D5E80E374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083211Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:15.177{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DABC02DE7C0395458D85A2FA69C1FA3,SHA256=1AA49CAA2D920B986565FE3B8F2999484E1AA252C178FF989B93E305D4FCEDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083210Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:15.162{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=780A3FE884B21B11DB53AA59A3B5421F,SHA256=D06990D3F5A70106276AA7CCD281442E0883C5EF6F880849735230A2540FE856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:12.603{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58771-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:15.220{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0070118C4C1EB84E56C7F3FE623CE41D,SHA256=8C743B975D47D2B6BFF3B8A34043605811BCCC97D648334302648CB15367392D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083216Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:16.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE1-629E-1300-000000006102}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083215Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:16.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE1-629E-1300-000000006102}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083214Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:16.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE1-629E-1300-000000006102}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083213Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:14.708{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083212Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:16.381{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926579D9BAF4BD48EE9BB17CCF96BF53,SHA256=768BAFA5AB810183E7D50A35C254E6ED5280C0DFFEB6BD69F531BCCCB3672E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:16.329{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EBAF77CF383CB032E2B90E01D66261,SHA256=081094D006B93E85E2A7C5CD59D5E5399E78CF36D1A185D3EE6C038ABDE56E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083217Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:17.479{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5116C076B0ACDA1EDBD6119A0A691900,SHA256=C895734A92E70BAD265FED4C1A35AA73E2E42E52EDC29D7C7D968C93BCCE31DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:17.423{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F052599D87827D7FD1447352E474937F,SHA256=272687F0894143E4EEF80FE86F2F2F44E64F810740E644BEF2D18A344FF44383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:18.516{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106266ED6FE31B2389335FA60FCD0E77,SHA256=4828859318D3F9A6683AEF15B51C0904B0A67BB803101DB9428A5533E5243704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083218Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:18.573{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192BEE9AE0452636B5A644771FCC1FC0,SHA256=E4CF863CF2786B094CB8286E5388B4AFE871A555FAD4DB3C73D1096DD8D62508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083219Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:19.666{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5836D9D0059FD424A8044376FB122F6B,SHA256=06BEC5724091FC08BC171FF6C3E9AED3FD43977B61D51D3A7044BDBE50A1F51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:19.610{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3601216F73FFFFC85909E3EDC2025802,SHA256=7B11621B471FC102291549DB92BD0E7858A5D3D379361B2B06D6FED7EBA545D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:20.704{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E48BEA31C49CEC089A747AED777416,SHA256=EE39501718B19FED2B46CEEB66896930EC0DD44F1F94353988E5C3E5C728D3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083220Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:20.870{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4E92CE9B2571A7649E8FDD4083FB9D,SHA256=E06717418866383217ED9D50050459DC8EEC4876825305DF73BDCCB208542EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083221Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:21.963{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE73478CC266FBC69A1AE9C63FF5B3D,SHA256=C99C71776CC5A08C2E0B6DE5BE1F1EA15CA0DC3A1D23E4DCC6F362C124ADA466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:21.798{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0ABB45905F0893CA852A354535EFDB,SHA256=0125DEF8E96EC7D4EDFC46E143B50F1DF4ABC6E53799ACE90760791268DE65D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:18.620{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58772-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:22.891{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FAFA70E110231015707C894DDB656E,SHA256=47E6C159AD3A8A94A8548386028DA27532242BE45D19DB4895C9A6603E9C6694,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083222Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:20.712{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:23.985{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B866F1BAEEC9E341C05FF5CC2B98E6,SHA256=395CA4FE066DD36DBB36ABE0BD972A9E70481688DEBCDE9AB97F536BA5AD12A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083223Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:23.166{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C4F73066AC86152D8F1A0BF827FF30,SHA256=4309FADDA5B91C00250BF23AED9CA592C9D0348C0B200F9E89634040776F707B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083224Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:24.370{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6BF39BC29D9910AC08A440F5E495DD,SHA256=A3AA1BE9CA9CC6575598A3B12358115E19F9FAC8EC938890F3CB751ECD9A358D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083238Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-253D-629F-5C05-000000006102}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083237Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083236Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083235Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083234Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083233Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083232Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083231Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083230Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083229Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083228Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-253D-629F-5C05-000000006102}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083227Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.916{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-253D-629F-5C05-000000006102}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083226Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.917{0A5DF930-253D-629F-5C05-000000006102}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083225Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.463{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B190C2B538CE32C11F69CA0C007E71,SHA256=B70B8B0B03925302892F9BD7954292BB5296CCD6C47BDF22654D2A9C7E067C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:25.079{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAA05CAF24D9CA2510C018A42248903,SHA256=DFF90944BA3D4658654A441AAE96A8ABE7B905A4B6DCCCD554A37678B21C74D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083254Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.948{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94569BBABACFE86DFA48ED92BFD12D45,SHA256=D806A6A4565CD195C1A7DBA60BD6EE03669BFCF482E2F301170D6A5D8048E2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083253Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.683{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBEEF08B31AA0B71AB847E28BC26D57,SHA256=235F2D7FE251EC3735C0C4900933011AB0100782F52812B92A8523B5A5A6603D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083252Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-253E-629F-5D05-000000006102}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083251Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083250Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083249Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083248Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083247Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083246Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083245Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083244Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083243Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083242Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-253E-629F-5D05-000000006102}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083241Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.588{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-253E-629F-5D05-000000006102}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083240Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.589{0A5DF930-253E-629F-5D05-000000006102}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000265136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:24.649{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58773-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:26.173{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFEE59743A679C88447A33C3760A167,SHA256=481E904EDF824EBE0B8BD3584ACD3D85CF7E82BA5CB6B1506643D679EEE76E00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083239Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:26.120{0A5DF930-253D-629F-5C05-000000006102}4042448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083268Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.698{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAEC05357CC17774F791D1ADF02E071,SHA256=1C06982C88BD56083A6C69B00A665AE95F4473F17E9C78670D73375E1CD56C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:27.266{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3014E63841C5DA9F42A249E14291DA8,SHA256=A45220F3C360249966818BDF2CE67422507A4CCBEC57A7CAF3DB133F4444B449,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083267Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-253F-629F-5E05-000000006102}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083266Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083265Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083264Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083263Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083262Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083261Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083260Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083259Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083258Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083257Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-253F-629F-5E05-000000006102}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083256Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.260{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-253F-629F-5E05-000000006102}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083255Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:27.261{0A5DF930-253F-629F-5E05-000000006102}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083299Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2540-629F-6005-000000006102}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083298Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083297Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083296Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083295Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083294Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083293Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083292Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083291Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083290Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083289Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-2540-629F-6005-000000006102}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083288Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.823{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2540-629F-6005-000000006102}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083287Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.824{0A5DF930-2540-629F-6005-000000006102}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083286Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.791{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBD9B471352F4901EB4013964B8928A,SHA256=30903E9E0280472BC28294F51A17C52FEC2438779029AC7834D4C61C20BA7DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:28.360{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF120A8EF47A9FA9C1CCC652D7ABB401,SHA256=292CE7DCF8B31F891B416AE636B680B44A2B40813230C51DF1ADF3740C1EBEA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083285Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.654{0A5DF930-2540-629F-5F05-000000006102}33681924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083284Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.621{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=031D460F915A0833FA6903B818F210D0,SHA256=4DB6B7CE3B212F6E9374571BD514EF9C7F7800190376531EC41862C0F4C2D90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083283Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.573{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083282Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2540-629F-5F05-000000006102}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083281Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083280Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083279Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083278Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083277Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083276Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083275Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083274Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083273Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083272Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-2540-629F-5F05-000000006102}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083271Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.291{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2540-629F-5F05-000000006102}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083270Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.292{0A5DF930-2540-629F-5F05-000000006102}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083269Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:25.729{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083315Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.995{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F414A4F9F93A1E55F06A79696CEA5E,SHA256=F85E05535157AC1182E688760A4201F1DF5B82996245EC9B0DCC8038589E8968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:29.454{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40CF85828ABD9A8A83EE896B73854F2,SHA256=4D0C98B48483AA7AA5DFD470C94F0B3ECA10B3A34A594601FCEA0F9A191DC7A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083314Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.698{0A5DF930-2541-629F-6105-000000006102}16482640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083313Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2541-629F-6105-000000006102}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083312Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083311Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083310Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083309Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083308Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083307Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083306Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083305Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083304Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083303Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-2541-629F-6105-000000006102}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083302Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2541-629F-6105-000000006102}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083301Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.495{0A5DF930-2541-629F-6105-000000006102}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083300Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:29.057{0A5DF930-2540-629F-6005-000000006102}26323228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000265148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.891{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5ECA57F225B7D5A580A8CE34499EA521,SHA256=F097AA774FFD084861F5AFF9173989C01797A40D33EF50F9BECCE2B7FFCE76D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.548{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5522A89CA9371A64E4C787AC3E2A7DC,SHA256=69F98F9B47BA6DD8640AAF468B419944E47078D8E5FA721263C48F454008C19E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083316Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:28.152{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000265146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.391{2E1864BB-FCD7-629E-9400-000000006002}50243080C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.391{2E1864BB-FCD7-629E-9400-000000006002}50243080C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.391{2E1864BB-FCD7-629E-9400-000000006002}50243080C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.376{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000265152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:31.641{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B56D9CBC6D97F3917C0A58489B72EAB,SHA256=DA7627321F694F1CC1DDE0FD487D3AC6A537954FA1CB2D80B059A7A787FE7231,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:29.618{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58774-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000265150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:29.618{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58774-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x800000000000000083317Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:31.104{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BDED17D1F93827682E1CE8A4E7FFC7,SHA256=9B6EC476B6E837B4FA4BE1945BB052C659DCA52832363B0B6505CE9F0CEE9B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:31.251{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF6E77FA8CB0E22AB754A2F56940604F,SHA256=0A85411B054AD701CC3A18691A9DCD71B26E13D8E04F3F910F94850F6AF079A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:32.626{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6136C9E2EDC53712F20B8C0DF2B9F1,SHA256=3CE46EBDD47770D888A89CC85BBDEB63A4A42DD36FF74911556BAF50E8028698,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:30.681{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58775-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000083332Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2544-629F-6205-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083331Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083330Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083329Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083328Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083327Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083326Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083325Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083324Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083323Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083322Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-2544-629F-6205-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083321Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.935{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2544-629F-6205-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083320Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.936{0A5DF930-2544-629F-6205-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083319Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.625{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-167MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083318Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:32.309{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9440E361A52AB0B1F9A077EB2CC18773,SHA256=05AF7ABB8A2949E6C5F02329BDD2F3148D924EEE8DE397A464B1C8E702AF88EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:33.719{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A69C64EDE68B7DF00BF10E74ECF16C,SHA256=D8556C6BE27292E1D8856EBEE38E3C9C3060EBA79F3E6B693D7F71DBB42BB7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083334Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:33.624{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083333Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:33.388{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6296857BEE0D81241CB600AF8BABB87,SHA256=48E7315C217A7173F27BF8146E20A2C4D13FEFC8B9978772E40BB4AF047E1181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:34.814{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E59FCC361B597324D4B4548E4DF8D5,SHA256=FF6BE40CCFE336332CBFE71D0AFAD5937FB895E92443B5981BA7C830306D37D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:34.738{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-168MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083337Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:34.483{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D43DC7BF66C25C58F3AE28E48C337A9,SHA256=6D19A2E0341D0D1F7E6D378EF9693BFABB7285978CB38AA20D85511D3581DFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083336Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:34.059{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261676BE792DAB7529095917DF5CD256,SHA256=D302FF7DE3E38F0B23B388D55C36B44A478060C9132DB9B79741E72138655B3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083335Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:31.712{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51723-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083338Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:35.576{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AE1901F20193B494C5A58E63ED0AB3,SHA256=C0AE35BFB8006A70DF4838676AAE38CE033A5E795319A4167C7A59EBE83C1848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:35.812{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E766B1894576109FB025A633E235F4F0,SHA256=003DF9ECF34A2B078E61E12E442881E4B8A56C64C13601DA6523FB8BCAD58705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:35.753{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083339Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:36.780{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A284D1815F385B8015E1FA5A969FF34B,SHA256=688A82EF0EA61F4979F82EB3899DF863DC32E314630A42622D3F673892DF451C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:36.801{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05E51307CAB3E444B105B64293DC293,SHA256=104A9133AF181DDD84474E5E3203DD1EEFE7619EC23290BBADA4EE5090BB32E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083340Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:37.873{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E56FC22745DDA2B496352BBA42DA55,SHA256=4409821CB9C6788DC2830EB85396DF4016A390FD05956D2287F514755D9A821B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:37.910{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAE754B364739153057E54718EDB5A6,SHA256=ABF800834577DDC3B66047477582C67F146992510AA367E248D6D6537DB36AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083341Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:38.967{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97D92AFA8A56DC84A11D791599C943C,SHA256=073805DD4CB9A80EAEB134B93090E3C76E3AD993035EB0BC82BEFBB230A0E9E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:36.512{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58776-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000083342Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:36.809{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:39.004{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F574435C70E12D496034910FA9D8F5,SHA256=43D32E2539F0DF36EFFEDD1D5DA98A82B5DD3D49B06F4A5FAB7C8D6320387386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083343Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:40.060{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301C3952A9FA1A83C816A73741E6617E,SHA256=4FE1C13216FB13633713FFD95A04CD7B4C8FE108BDB39477E6BA0E11360EC142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:40.098{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDD884886640D897125A847BBB58F59,SHA256=22DCFE67D5E3AE7A8F3B9AE723B45044DB2DC968CE45BE6FB5C9B465C9B89C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083344Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:41.373{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AC3B8F8716F9DD2CD03A73883C2F3D,SHA256=F766BF61163F4DC72D542C7CE1444ED638A5B556A126DAC99A8FB519A054AE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:41.191{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB462C1D57544F1333F250C4E86107C7,SHA256=3E6969786A1D780FE91537F7813C25F2B11EC9EB66453BB7251D73CD011509B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083345Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:42.576{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2278874445396675F820CCA751728696,SHA256=DC9C4D156111BCA18CFDD1B020F5318ECBBB18909F83333D519FD4A95487D4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:42.551{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:42.285{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D4B089FA191E344481F84744DFB82C,SHA256=9B913508CF0D102F59E8CF8387E755BCFEEFA0BF6751DC38B225CAF015DF283F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083346Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:43.670{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93E9ECE401B2D5EFDE261E1073248A9,SHA256=F2BE81425B1AF3A55557003489DD83C1788E18137DF8A13699D5C8C89B1F9B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:43.379{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C34742D8764F90917E7BFC284F49FC,SHA256=6B861C5843F329B5DE5D03F350C9A1912C75E25A35C715364EF6FBA3140C9F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083347Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:44.982{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D6A3134376A614C36418778E440305,SHA256=D757F82F4FD55016E9B97761DCC6900676C22E6C479664C5BCBCE14C82471C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:44.473{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8972EAA54695C81EC027EDB967D8D8,SHA256=17668387B4AD53495D427F91D8CC2AC5E61F285BB1EC6AC67EE5398F03F9F501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:41.980{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58778-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000265169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:41.527{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58777-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:45.566{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1487F990807E25024AE98A31B11E52,SHA256=EB1886168FA18E2987655136F92D7B6426D6D7CA51C7466EDB5E2671B12348DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083348Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:42.840{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:46.660{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B468D7FB0AD309D8939F24016E824697,SHA256=AF8741EC12336761B3B4C721E99D2BE242103477DD0DD6062D3A5EBF3340F8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083349Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:46.076{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C45759478257595BE7E883AE4179D5,SHA256=2D5862A817F9DE33B492294FFF3A4F9EDDEF9835AF13769B757061AE212DAE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:47.754{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA20D9E2D5CF52E8BA0C62A16AFECDB2,SHA256=6907C098C1A30514CCB805A4FBE9E785FD968F2B5CF469529973B3D2910AD975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083350Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:47.279{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C121D6F12A2F03F9D13B5E725A1A94,SHA256=F03D62A6AE19A77E5079D2F984EBEA6FE7C87228D6CCA229918F8571B482382C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083351Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:48.373{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5357AD715F8F887502B75608DDD54E75,SHA256=87851741E7460C442FE95462C7AC02B341BF90FFE8DF942A828BF91064A3651A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:48.848{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B457D55F51648A1FD35D833B12058D09,SHA256=4D72DB7DAAFB59102BD399C4CDA68BECCC963C9672F11A22597ECC8331A9D1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083352Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:49.685{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8FDB93F873AF04459EBC827AE85EC9,SHA256=D21BB90ED07558E57892DE832C39835FA5BC8EFDFF56D4355C0C0973A81F46E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:49.941{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59920C8DF0D6AFA59195A21FF6286D5D,SHA256=3DD9D3BA422A7D93AE810491D057828EC73AF1BADB718293650D813F50D3E975,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:47.497{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58779-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083353Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:50.779{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D5746F7426A1AE5749D1BC7DB2B58B,SHA256=7ED4FC7AA56D76D5CB8000160F3F300C9B24AD62A24754ADCCB34F2B20D714F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083355Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:51.873{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F166484B8D40637BAA04CB9BD65F368,SHA256=DBA73E0822FFE343F64C2EEE10F81C44133187E2D506A67E275CFFAAD5580620,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083354Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:48.715{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:51.035{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DAFEC21B903DBCC34A6AF910E5E486,SHA256=FD3E430A9253D9C9199A1F4C160DB074070EADE62E9213FA32A452E33947F79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:52.129{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C21A7FBC6C9B303ED445398D5409BF,SHA256=010BB604DD311896BAC15947BE2D0755DB640600BBE8372831497E71901FA0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083356Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:53.201{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8ADE5D29A365A310BAB6964C8ADE7C,SHA256=ADDB515C8B9D1100BF872FAF9F2A57FC24562CD00008846BEA5128DE1783E0D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.348{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000265180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:53.223{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A632AD16E8392770E3760A2CCF239B99,SHA256=ED815BDD0D6BD47F51D22F1118EFA0B4CCF292C6EC70441796A45986163D76C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083357Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:54.295{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40603E19FBDC67E805CB798E0C92594B,SHA256=E46D8BC08E3AC428B73F3D4BEBA1703E93A8EBE7717C82110F505BAA1A791BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:54.644{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE03CE9317476E297FF97706D63A787,SHA256=8BD1D8201B732C73DB75C1DB293661A73F84B5A1A157CED23328C0AC0530AE65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:52.574{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58780-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000083359Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:53.746{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083358Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:55.498{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB58E9AE002F25B22BCCC583691537A,SHA256=50530DFEF4743C54E749563D951631A072C193A1705549A7CCE97ECC79AA3FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:55.441{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97727C7E95068030ACC1D1D2072FBFD3,SHA256=519526A972DBE48CA6C14D6308833B43CBEDFB3112E36782DC192833FDDF44C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083360Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:56.592{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B088E3E8820C2E32DC5D0365C6873A,SHA256=98D46E5881460D8DF18F8A4EAB8F30801A23EF4FCCA63EC1408103D2E2F8910F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.754{2E1864BB-255C-629F-0506-000000006002}20045444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.566{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-255C-629F-0506-000000006002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.566{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.566{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.566{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.566{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.566{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-255C-629F-0506-000000006002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.566{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-255C-629F-0506-000000006002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.567{2E1864BB-255C-629F-0506-000000006002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.535{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95424D79CD451BFE904CF439B8C135D7,SHA256=E567374250AB2D3E2FE56E366795C6410765352E796F971506BAEB56FB5DBFC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.066{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-255C-629F-0406-000000006002}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.066{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.066{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.066{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.066{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.066{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-255C-629F-0406-000000006002}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.066{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-255C-629F-0406-000000006002}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:56.067{2E1864BB-255C-629F-0406-000000006002}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083362Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:57.893{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=29A39AFC59F2C8C93329AE901824FA40,SHA256=CBAFD8BE433AE1F993759FDA6C5B289DDD08ADF19444790E1E793FD23F875F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083361Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:57.689{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0840E884E4A9F75BD773D4E4D6FD397,SHA256=57C4A5AA33A0633635C0FA10BE0252EBFF995E2E300B3E0D2BDB549303DF5998,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.926{2E1864BB-255D-629F-0706-000000006002}24641284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.738{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-255D-629F-0706-000000006002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.738{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.738{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.738{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.738{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.738{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-255D-629F-0706-000000006002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.738{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-255D-629F-0706-000000006002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.739{2E1864BB-255D-629F-0706-000000006002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.629{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591CD226719BF2B53E0F2A5C8BC2898C,SHA256=76D7DF85864590496F474224B4DFBE30EA00204FC4DF5FE19B8B206A42B648FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.238{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-255D-629F-0606-000000006002}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.238{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.238{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.238{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.238{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.238{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-255D-629F-0606-000000006002}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.238{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-255D-629F-0606-000000006002}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.239{2E1864BB-255D-629F-0606-000000006002}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:57.176{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8CA1735ABBB24AB8C08132199CFB13,SHA256=5FC61C1B93E0C1112D678EC072F3D3A85E62ABE490CFE7B8186E6BA1D3B960B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.722{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70247E6BDC0406DA05F6E67E3D49D0B1,SHA256=C453A60040B507B9AF6B1EEFBB3E886241657A36705FF475EC213EA7C90633EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.613{2E1864BB-255E-629F-0806-000000006002}24726136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.410{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-255E-629F-0806-000000006002}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.410{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.410{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.410{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.410{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.410{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-255E-629F-0806-000000006002}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.410{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-255E-629F-0806-000000006002}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.411{2E1864BB-255E-629F-0806-000000006002}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.816{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4C3F8A935C9E9C7EF0DD4E37E1B4FC,SHA256=010C6DEC1A296FF72AA760474CB0BC2DD9E7F7F950E728597455A1B7D1BC07C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.754{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-255F-629F-0A06-000000006002}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.754{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.754{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.754{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.754{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.754{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-255F-629F-0A06-000000006002}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.754{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-255F-629F-0A06-000000006002}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.755{2E1864BB-255F-629F-0A06-000000006002}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083363Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:59.018{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F1AB21CA2C4EDFE510D9BC9856D35C,SHA256=6B27107EB2250DEF14E4F4565D227E4887A500765FDBF9A2F31F74497D916814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.269{2E1864BB-255F-629F-0906-000000006002}19881920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.082{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-255F-629F-0906-000000006002}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.082{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.082{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.082{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.082{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.082{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-255F-629F-0906-000000006002}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.082{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-255F-629F-0906-000000006002}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:59.083{2E1864BB-255F-629F-0906-000000006002}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:00.816{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09FBB9099C53D9E75C0E43507483D75,SHA256=800F895D12C2B3D482A25E9064729163154EE29C103B588DBA296B22DC5E3869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083364Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:00.111{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71C072D80D5CE81A8B02376FD70D99C,SHA256=F4F350C85E46A8D6FCE0E2B9BB43A06C6E89352CE669CC281408AE71AF303248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:15:58.543{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58781-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:01.910{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A11FB41FEF12B0609F82199DA87AD4,SHA256=879B8D9DD2D32C5A0927953338CE0F202917611F066E3DF97F4E743259220655,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083366Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:15:59.766{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51728-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083365Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:01.205{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4344AFA898D6F510101E03336D4F5B31,SHA256=9EB1E17070959C58B45DD2BCC3AB51C6833554467E28D04717BDA449F9D8AD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:01.191{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A9989DC4BBC07939EFF5BE27348BAE6E,SHA256=6CD316D0C55EC547C24EEB6A8736AA603C8D39CDBB130D2E7CD08A255AECBD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083367Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:02.518{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A371006DAAF45B1BED8A56DCCBD18062,SHA256=46B1BE41BD86A2DCCC79B9A6A6BE2C4F2B3C6A227E53C4EA08966F4F15F6BCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083368Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:03.721{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B422FAE1010AF20F7ADE18C87C42DC,SHA256=F2256C8FEBFCAE6487F1544E2A95E51DF645E9BFF552EFEA643D6BF32C70DB0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:03.066{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1675CFC24DB64ED33509364CD9DD6DC4,SHA256=204B482ABB10ABFDD410B0CAB92E9F50E14797E2EBDF84FA9358135833312A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:03.004{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4399A8F72F031EA5848CE65A54561D,SHA256=2006659FBBEE068605A2BF1ABD0BEB8BE614FCF0EFEB7FC326DEE8EAF259B2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083369Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:04.924{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4725F459CE7637F0FF0092AEC0D8BD,SHA256=70913D237DBC41C7637616BF73B04C857F183A56FD80AEBEB38B78154A75ED7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:04.097{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AFA9E7030AD8DEBFE13F249D247756,SHA256=29AF4077595E68DC59B5E11B1C4B6A8B1449A4EAAB357755478E82AAE578C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:05.191{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A475B29E0AF162F160ADC15826851F4,SHA256=FD69C81D4E4C6D70AB7BBA7B2A217E21E17702FAB02C1C75380D0FD6C06C89D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:04.527{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58782-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:06.285{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0575E0073A4DF90C0EBEFBBF8B44600C,SHA256=767051172166BFEB9F5A8DB8969062FAC64D8B90135A946D5B754C68C9DFDA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083370Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:06.018{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0513F4EC760F5D90634613EF220FE9B,SHA256=96EB8FABF97F4DAE83C6BF6067096A36C0B0EB15C86D6945495EDFBFBFD17F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:07.379{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF558F6607574459DC1BE5151E474BF,SHA256=C3908FC9FD1D738FE675280E105B835F0B51BC1D19E7DA7B5B9DB173BB974A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083372Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:04.797{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083371Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:07.330{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6B60C01F3361B60B2C091343962D78,SHA256=9D9643605859D5FAA51F7272C8E3BA9F68BFD21780564E42E1E61D22B37B71F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083373Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:08.533{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6759F4C79C93F821705D0CA16D538A,SHA256=9CE776A44D511F1038DFF8AE80920D542C3E7C7A440585DD30D37FD89D91B5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:08.472{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B61DAE2DF3833F1FC9ECE4D6C47465B,SHA256=289484248BE85097A560FDBD8B395960C395B8BFBEF28843BEFCC3823B7F74EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083374Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:09.861{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A4A7D44F142ACA5D9CC34BE599FD18,SHA256=9094B0AE7B09ACE403BA6A27D784DE92932600B3B07D67179E7AF09F59B2D837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:09.566{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFAC953D6DF6E708CCD2462FA8C657D,SHA256=B871A2E26E30C339943FC5406BDA22C03797C47DA42B67EE5BE380F43754F86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:10.660{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D033B44EAC7C2D9803FD01E174B6EBCE,SHA256=7CCCDED2ED09BC653A49A025EC0A923B4F808DEBEB6FEF6179D7038CB669E330,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:09.685{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58783-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:11.754{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887B70B2C1E35688D68927FBEA4C962C,SHA256=60A804344FD68D7A596EA66104B6967ED2DCCA9D8E778C8FB46ABEA530109894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083375Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:11.174{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714E70F9F5A584F726AA55D553CFCFFA,SHA256=27228D2007E20EAA0304FF5839B7F0470CCD1645C9E6F81E8CBFFB38F9F456DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:12.847{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE86B41F66A52BE3B1413A565482665,SHA256=26D1ABD60490FA1F6E37940D966CCC867260366F82C9EBC91CA711C559654C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083376Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:12.268{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7249BFFE2EF186EE3401E5C778B09344,SHA256=C11AD5A4DFE7887C3C1FA427049FA9E9487BEC9FB7F9E860F8EA7D561EC64541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:13.941{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAA4780E42422A0F5981870FF7FB672,SHA256=94CE914EA574795DDE1FBA0562215B98523164A690B25DAB0C5EB41E83011B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083378Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:13.361{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50E945EBA0954CB120A82CBAF9B884E,SHA256=43561008231612C2C246C62569E64A7849E7641E5E5C3A42BF2AB5375EA09D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083377Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:10.797{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083379Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:14.455{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4140404A2EE88C50F33690082104C4,SHA256=45E8FB00C63E8C2B45979C5D4E0B11D197C5A123536E74822709D343826E182A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083381Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:15.549{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039F5E3F8A6F5108889B99AB5ECE7823,SHA256=EFF9F4196E47EA47AC1BC8CA1F6B4E40174B3B4D349A1CFB5D3E7700D050CCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:15.035{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E937291E442E1E6B6A42FB3CC1276F,SHA256=AD119BDF681E93C9D83DD6C034F99CC26C71582712B8559F8FA03C2424867018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083380Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:15.174{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7D2A023607447E548ECFCF0B2BB6DDF5,SHA256=9F5DAA20A60DFE83681D9B4768DC49E6EE56E623FD04FD43FF49EB2F9BF07484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083382Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:16.861{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548D7881F778E06E066152EEB15F4533,SHA256=5D90217DE9AC761A3BBF836742267E98DDBACD608375875B7CE899DAF76892CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:16.129{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0EDF86D92534874768FFD45932A21,SHA256=386C0774F1E95B7D91EFB28D31993FD56D341D400EDE79ACF20D32DB88C2899C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:17.222{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C83BCF0912E477635C2D9FFBD80343,SHA256=41CF9B502E9A60B9FB90801D239B7EBBFAF1395014F720CC7A4D37E46ABFB875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:18.316{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE0F7847E5D9F1ED39484549BCE0081,SHA256=926F056C2A30257664BF9B97B315FCDCE4C9BC5F93110208F77C37E8EDEEBED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083383Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:18.061{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53D3F136022EC3C08CF673F452B3526,SHA256=810B2351E51EC704B3CD1E0B804AEAF3A48B90FC1B19DF047918E203AC10665B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:15.667{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:19.410{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8754EB44362BE47C5A6583515584738D,SHA256=7932A1D9EE2B9811496349D5F0C15222C1F7D8902DD5E343FB70A3977357AE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083385Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:19.155{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD13294AE60876E2954AC74B5765820F,SHA256=56274F4602240221331CFA04AF095989DCDC82884439D6347CC8D8E2C8681138,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083384Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:16.747{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083386Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:20.358{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B21EAF2D8612F559F53668969DEC61,SHA256=613A760B584C0552CA12DCA2D185BF8E016C7BC9854C66276845D3DEEF5BD692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:20.504{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EB5825DE421BD7DBCB832243483126,SHA256=F77194F1C98782BEB9BD94F3B5B148FDB8BA7DF41956FEA2655E3B8638E130FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083387Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:21.561{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E625F190DAD25E470B0329DD7DF641D9,SHA256=3444C585B2C7B78DF3F7B41F87331FE36971685D87C0F0F428164D136BA79C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.597{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB52A3B7202260DBE124694945C78A37,SHA256=3C0C0A1AAA5081A9F8DE0F89785E11B4CF69159773DEE6815D2120682939FE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.082{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.082{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.082{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.082{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.082{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.082{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.082{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083388Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:22.655{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44214ACA5AADD7D254825F9638005BCC,SHA256=732D9BD44A2C7CAD64C859DF395C4E15784FB6F9CA73D50E3A5C75D97797A039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:22.691{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A68BA18CB373EBDE7A9B1D0BB2C25E,SHA256=CCE6202FF509FC3885C38827CA4D51DF5AA8180A7A6640FB0436CADE54C5D789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083389Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:23.749{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5041C3254B1699A32DEC9BC79B831341,SHA256=B4A8A767C057AEEE55E32661192801A423D1E43A70C4BC88385E6D578BDC7733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.785{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5911862261BC92B35AE9D992BC540395,SHA256=EF36665E7BD9670E52F228C2799F0AD755DFA8A3563A21504A895B8E32F39EBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.363{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.363{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.363{2E1864BB-FCD7-629E-9400-000000006002}50246132C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.363{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.363{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.363{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:23.363{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000265329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:24.879{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FDF233AD00F6BFE776C47ABC945ACC,SHA256=D694D771C4678F2D26E45B1E602DFC1762D2F2757D45ACB02F715A0370158DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083390Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:24.842{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38C3784B53DF9542AC870D20DDA39FF,SHA256=8839E39DB7ADDC11F0ADD8FE8D9304982194ED9C59EC9CE53CDACD39BAC4C2EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:21.527{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58785-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:25.972{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73077E0A7E8FE2B7783C5E8D422233AE,SHA256=A9CFF85941190AF5737C233E0A746E4219A249351ECB0B2C0B529FF616EC49D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083404Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.936{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEABC5366535AD1CA276CEFBF0260820,SHA256=D57CE98172F703C4A72E59D4AABB57BEABA92082D8AA8B05F22812E2BF7A15AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083403Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2579-629F-6305-000000006102}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083402Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083401Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083400Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083399Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083398Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083397Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083396Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083395Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083394Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083393Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-2579-629F-6305-000000006102}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083392Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.796{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2579-629F-6305-000000006102}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083391Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:25.797{0A5DF930-2579-629F-6305-000000006102}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083433Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-257A-629F-6505-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083432Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083431Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083430Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083429Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083428Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083427Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083426Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083425Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083424Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083423Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-257A-629F-6505-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083422Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.967{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-257A-629F-6505-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083421Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.968{0A5DF930-257A-629F-6505-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083420Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.921{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54000331651FA57F18AAEBFA8522B8CA,SHA256=2D8DE6762E8B139FD62E2DD90162053417D0BFF5A284DDBBC3E0BBAD6AC08924,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083419Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.499{0A5DF930-257A-629F-6405-000000006102}29403856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083418Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:22.793{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000083417Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-257A-629F-6405-000000006102}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083416Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083415Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083414Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083413Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083412Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083411Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083410Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083409Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083408Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083407Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-257A-629F-6405-000000006102}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083406Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.296{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-257A-629F-6405-000000006102}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083405Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:26.297{0A5DF930-257A-629F-6405-000000006102}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:27.066{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3ECEFDCB5B7C717F59E7A631602387,SHA256=0DCF993F112CFBEEEA049725D205E4324760F2CC7034BA18BBD4555AC89CD6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083434Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:27.030{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F64F5F8B4FEDB9B8A21F74F2DA34810,SHA256=E6B2C55FF1F6002A893040615E63BB6D74C6DF0C142B3F43B41DB4C3B74BEC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:28.160{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB469990B5359C200CD4F5326D39EDF,SHA256=A6B478A71D2040F0905B6FA93E5E61534BBE696A82828CB3FD49A0947E7BA6C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083465Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.983{0A5DF930-257C-629F-6705-000000006102}2384520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083464Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-257C-629F-6705-000000006102}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083463Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083462Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083461Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083460Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083459Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083458Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083457Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083456Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083455Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083454Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-257C-629F-6705-000000006102}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083453Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.749{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-257C-629F-6705-000000006102}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083452Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.750{0A5DF930-257C-629F-6705-000000006102}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083451Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.592{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083450Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.514{0A5DF930-257C-629F-6605-000000006102}15922788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083449Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-257C-629F-6605-000000006102}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083448Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083447Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083446Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083445Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083444Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083443Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083442Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083441Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083440Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083439Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-257C-629F-6605-000000006102}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083438Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.249{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-257C-629F-6605-000000006102}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083437Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.250{0A5DF930-257C-629F-6605-000000006102}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083436Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.233{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A548F35433BCDCDDE0EDC4147FA6165B,SHA256=65A184FD115F37D0D8AEC46E2F648E9E3AC8603ABF97216B80E07D3A2576F648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083435Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.014{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6FF69D108E1C436F739C15D872D041,SHA256=97CB3656A4693D23F97B7FF3E3705633413C27F59C499831419CE70BA86DB737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:27.480{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:29.254{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8762919CA7EE0B73FEC619158B9720F9,SHA256=2C692A160B1C2CE6432139E4256C4BE86657D4A5CEF9CD4F0347253E2E0BF0D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.436{0A5DF930-257D-629F-6805-000000006102}40523472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.389{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1669DB4352AC773D1E65DF33B1F1A68B,SHA256=9785410D8F7BEE2FFA76DE6905947762038779B3688F9919329D71B08E0719BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-257D-629F-6805-000000006102}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083473Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083472Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083471Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083470Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083469Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083468Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-257D-629F-6805-000000006102}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083467Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.249{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-257D-629F-6805-000000006102}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083466Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:29.250{0A5DF930-257D-629F-6805-000000006102}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.668{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:28.177{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:30.342{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB222DAF261DB54B6C24921EA422A54,SHA256=217E7867A330F310D10B9A140EEFCB11A7CB1D1FAE03E64E4C9533832E682114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:30.519{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CA6D47E4E181348D0DB7CDC7D11610B3,SHA256=B63C247FAE51F69D9394274FEDB34487CB8713DF9731EA17433B86EB46849F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:30.347{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CDFD6DB9ADD71DFC19D44CB8C9776A,SHA256=D90FC488E0A21ED308A44DF1B4CAB0A1B55BD3D2077A0774AA366AC33CC1D412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:31.436{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169E5BB7086AED0074FD7B542F25013,SHA256=16F85E3E49A3BA945576B8A51ED6F23E0D00012840BA1469CF63401C4F6826A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:29.620{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58787-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000265339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:29.620{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58787-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000265338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:31.441{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A0E5D3090442CD2C8A5FA1E7C8FD56,SHA256=EA43D61D427A72D0052A5B7AF889B72FBAE79A78B704E34A72B51FA06BD59959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:31.316{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32EDED04D383E9C9187AF70DFA534FB4,SHA256=30FC1C1DFF026FAAE1C55F77382CC6E3DC714E6B045BE3BC4528C85CC54C0108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-2580-629F-6905-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-2580-629F-6905-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE0-629E-0C00-000000006102}7202504C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.811{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-2580-629F-6905-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.812{0A5DF930-2580-629F-6905-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:32.530{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5BCA31857855B7E556AA7672EF72BC,SHA256=2B58B49E9C1786CFA373EDDB834256F08DF898E9B1016B26B79351EF5F75A814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:32.535{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B2ACBCD999A9698E206EDA32D99CDF,SHA256=30F469C6D5D3F2AD3CB0A774DB9ADED88F89E1B9964683CFD1B4E391B77F5200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:33.734{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69507C7EF3B7F94C790961DAB778BE27,SHA256=FA99304FF9F75CAF63C5C9EEB1712EFDDDB1555FA2B3E22206CED84C3017B03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:33.629{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F8CB049322CC76F5E4B98A4F982F41,SHA256=85CCA1001A4C2C5F7B80C249823EA5AF81D3A89FF07E0BC223A3258163598723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:34.936{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1357BE26AA823B0E25F4425369701F00,SHA256=4E2ADA8844F23842A4937BF83714081939F202157AE396F02F26069869CF1D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:34.722{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE06E686966F3B630E7EAA398C5C501,SHA256=E27930A28F7C2E9E2D1D1F2CAFB90F48BF9E4BE0F5656A862FBF194A54EDCC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:34.143{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-168MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:34.031{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68D3C616EC5E65034DB79CEDAFC99844,SHA256=744D31FA4535E2ED0700BB10CE7FE760F150BEA2A2434CC433438082F53AA668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:32.496{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58788-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:35.817{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C3A4BD1F7097A514A5B145E89613FA,SHA256=ACEEA430F637CB0167EC3D5A3D7177B96855927A7456FD69A44C46FEE0294C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:35.156{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:36.904{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FD8928A97D3F0492438F66CE8ADA3E,SHA256=C0A3A5604802AE5AE4B77EAD30D1780CF32D54F6996A7CDF28C6244FF56DDA76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:33.732{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:36.031{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126E7643A55E948D0219730D1335EA1B,SHA256=E0338143EA79017F418C15646E5581C4EA0CD52D5DEF3F02002E71727233B208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:36.273{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-169MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:37.125{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B41B51B74F012AC4EA95C4A2B9933C5,SHA256=FEC135701716418036B639FDC8337CF852ED1D0C39101088753993E9AF9A3D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:37.280{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:38.219{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421A202F2A8D89855D8E5FD806D0D32D,SHA256=AEE5C8D3E1CDCB456433135E2ACCBA0915B95FF748B4B0E49E74DE66FB3ACDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:37.999{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EEEAC40A84DE80CC19E190B1C8993D,SHA256=16DEDF952FABDEE96B327EAC0A67305CB3949C9C291F109D2D550E463820DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:39.422{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557A0F0B949FA8186F651833D0CBF39A,SHA256=D8DF166AC06AF2608819660F8ECEB7D77D0C59255BA1144059268C204BFD23A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:37.631{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58789-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:39.093{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857991C91DB45DA53CF0397381490917,SHA256=154B99CBC9CE0D53578FF06BC2D3FA7BC64F83FF716F3C1783EAC0E29BDDD0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:40.516{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5BF6721052F37A72301CBEBFF197BA,SHA256=A658C69B48C5B5D73BD001E0EB8C06C502D41B0801ECEDBBA1BDA7479E0B09DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:40.203{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495D3B24E59A31AD45A06CC915A155A5,SHA256=0681E6AC2F9FEB650DD37134FDE913E1930D4A6C969F4631E3D3FC5482D0B5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:41.609{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B557E8F5CFB72AAC880F30826978674,SHA256=628C63843811EBD5EEB3EB8F4AEEACD70ABEB5D890CA462627616A433EA5E733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:41.296{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024025D27D79736012D0815595AF00C1,SHA256=F1E56419B2EF56C6ACD963CFB8E40E859A575625A72822AADCA018025AB9570A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:42.578{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:42.390{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE717C0BF0E2260E139BFA6FDD1C192,SHA256=5ED1832340F4CF28E133469E020B4D58FF22FD5D3F8D48A5463BD714ACA71E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:42.719{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1BD1EF01C96ADA346E4E64C6EEC150,SHA256=0D754A9CF9300DAFF4BBEA360AC95528F97F76D9F370E8030456B427A4D5E1CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:39.654{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51736-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:43.812{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3975C573AB10376332A93486332BB38C,SHA256=0A1FAF59464CE04D256A95270509A65B8E305D7C6D9312B3C839E917C72F4E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:43.484{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EE39C7D9804FF2F72E1F48328A5D62,SHA256=311C55D4FC982806C0E235B998D421A77411BEE454784AE011873B7A8E1AEB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:44.906{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C72A5023640DADDC3E7CB470CBF4FE,SHA256=5E7C27EB2583DFFC784DC4AAC3B1942FF50AC3616EAFBF7413AD66582395D8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:44.578{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB519F9A469610BBD810F64BE608324E,SHA256=9C359A440BE6B58687BC7DCDEA842C73C2998A0DB70A05774D0A312ED4694674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:45.671{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159A5514E9C70F1FB950C5A2B1BAA702,SHA256=E201D8F7922C9FCE71845CF5A60B5B0D59A15101D411E7724DF8838245740AC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:43.616{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000265358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:42.007{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58790-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000265361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:46.656{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC9B83CBDF93EA4338D782305D09D8D,SHA256=7C6C0531DF5B514241D1937EFA1B3BEB497463B9667FF339009EC72A6B6FC4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:46.219{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1012CECFCCEB5FB68016E33F527CD85B,SHA256=8B1322E6F14DA378C85D48174471CC8111875E558C1B7387A8CC285BE4CBCD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:47.749{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1414B8F8DCE6F9D32729C0A72C4BC922,SHA256=DC0C481C5F2F1A2CBF69C66803699CA54F23D8D9C64D5732D701DD73DB7AAF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:47.531{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77A9CA13EFD1AEAC8C607A16D936D33,SHA256=EC62BE417E401D924C80D1B61B24133E63C99905A81C1A4F8FADCA2D6FD3C996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:48.843{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927B1EA1E1F376063AB53C98A9861E85,SHA256=90921FD598FC5DC68AEE135911E6AC1A3514AD6479A4AC62332C3AE8E9541333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:48.625{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F43EA91B431F1D0D9C46CCA36E81F9,SHA256=98C67C40ED8A63BD5422D78729F3EB1CEB100BC81F38065C3E3F231A1B6C1D4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:44.702{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:49.937{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0E201515E0C1DEAC82037547078CFC,SHA256=D30CFD21C5F830353956E61AC6E0886AC65BAE5B02434332C53C3CB27B4A3351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:49.828{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7DE1CF72685B62C2AC0D9722C25314,SHA256=8DBE076E2CB0DE75B6BCF78F7D7168E695538A382350F8E1432C4CB164D9BDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:50.922{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372B56D70A6A4ADCE4FC68862AD9A28B,SHA256=BC06A5E9C139A28E0639251FE9268547EC9B98D177E83FCC66A199A40A520D36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:48.694{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58792-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:51.031{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9E87780B3A337BEA9DB781096919FC,SHA256=F129AA50D5FCC12654E902602D58CDD291FBC7D54EC806E0C1E3BEFA04CEB418,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:49.794{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51738-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:52.124{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3162BDFF550C13784019642BCDE3A7C4,SHA256=465BB987A106AE5BEE9FB1C5EAC63397B5A032972337C1307CE22E4DDCE122F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:52.234{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5A04B82A7C36492653C3F92AB2604,SHA256=48E3F378308B895E0ACB5D4F90D2DCEF54E703A6BBCF88BDCABB02434A0C0721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:53.438{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8501FBB138D69C6A06D5AABAF48DAE,SHA256=365FBE417750321D9EB8E68CE4F12343134D0FA3B500D2271F3AA3A6EF0C26F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:53.218{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD274B4757A14F82BBCD725E140B9CD,SHA256=72021B3696470A3446DC7D170EA02D4C7EB0FCB1137C581D712D4EAF0CF97230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:54.531{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197E91FC10EAA51D9B85532747FC413F,SHA256=64F762E9FD855E934C66E70E9FEDCB7B89591FFAA4718DF1623EBE99402FDD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:54.312{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E02B0F43BFA6F7F6230B489A39FA7A,SHA256=62F78670DEFF65877AE204C995DBCA59BC940BAFFA6EDCF8EEDB8B6BB64F7FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:55.625{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450942A263AD6C8F0459563C83013C64,SHA256=6AA6B3BD974CF9C9F9B9E14AEFF49EDAE8977B5DD3E8F2791278A3BD7D6AACBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:55.406{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6DBC2C93672A3D8802E71A2108AA7C,SHA256=80EB1AC8D82D941B4EB0860F4E8926A80DC2C7536DD80273F8F0BB1D7CB7855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:56.719{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064F0810113D3A155BBB39052B1FD00B,SHA256=0A41AB4A8DA5D1D991B4E3BE2D0EED714169863AF1DF65E7EDE909842887DE83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.781{2E1864BB-2598-629F-0C06-000000006002}55205868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.609{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2598-629F-0C06-000000006002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.609{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.609{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.609{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.609{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.609{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-2598-629F-0C06-000000006002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.609{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2598-629F-0C06-000000006002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.610{2E1864BB-2598-629F-0C06-000000006002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.515{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161F6130A0DA163877AFE5F9F01AABA2,SHA256=B1404929A74D320DD54158005B3DADD6CF7622175F6A5BBB67853A0060518FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.062{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2598-629F-0B06-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.062{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.062{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.062{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.062{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.062{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-2598-629F-0B06-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.062{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2598-629F-0B06-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:56.063{2E1864BB-2598-629F-0B06-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:57.815{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953514006921DA666874A8B57C727EDA,SHA256=C56887578C9DE29E95BB343709C3D7B26D42E9CBA1B71EA5079712B213E51872,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:55.795{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000265407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.859{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2599-629F-0E06-000000006002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.859{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.859{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.859{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.859{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.859{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-2599-629F-0E06-000000006002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.859{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2599-629F-0E06-000000006002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.861{2E1864BB-2599-629F-0E06-000000006002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.609{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E818B5CD4090AAC94967F4A5143A404,SHA256=904B165837E72FEC9D89E009B3742D41F01ABF3BB97994CE3B44373F784C0035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.234{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-2599-629F-0D06-000000006002}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.234{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.234{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.234{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.234{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.234{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-2599-629F-0D06-000000006002}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.234{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-2599-629F-0D06-000000006002}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.235{2E1864BB-2599-629F-0D06-000000006002}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000265390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:54.600{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58793-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:57.140{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10157E91E4D788DA32C818D98EE456A5,SHA256=5BA5985451695376A88F42584F659E3011AA97CA8A3D366329C3A4CF6E62889E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:58.799{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915C5EC23941CE051DC08535570A5019,SHA256=03CA77AF680169A7D99FE63AE4F31456B9925AE0DEA22ED186C7110DBE1CB61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.702{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415697C9042318CDF988B0226602FF15,SHA256=67715D920333AF658410C8795272CCCBFA63DAFAEED4835D54AB583A990C8BD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.671{2E1864BB-259A-629F-0F06-000000006002}2856700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:58.534{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=52ED03E042E29ADFB9C49587FEF0CB3D,SHA256=635C27ABE2128E06ED11DF322BE9780F206F6D799C854D3B6FF4441EFB52F2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.499{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-259A-629F-0F06-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.499{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.499{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.499{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.499{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.499{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-259A-629F-0F06-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.499{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-259A-629F-0F06-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.500{2E1864BB-259A-629F-0F06-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:58.015{2E1864BB-2599-629F-0E06-000000006002}32685420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:16:59.893{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4E2259BE3F98BD65614A57553C8DD2,SHA256=A251260C027E7BEC172E10186DB8C7D1975470E3A695213D5FA4467A3531B89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.702{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927368C89DF36BFC8684DB52096D6899,SHA256=D8245CA950B3379D9775B9D647AE167C137CD266EB60699DE43EEFB4100523E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.671{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-259B-629F-1106-000000006002}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.671{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.671{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.671{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.671{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.671{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-259B-629F-1106-000000006002}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.671{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-259B-629F-1106-000000006002}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.672{2E1864BB-259B-629F-1106-000000006002}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.390{2E1864BB-259B-629F-1006-000000006002}41761036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.171{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-259B-629F-1006-000000006002}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.171{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.171{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.171{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.171{2E1864BB-FC98-629E-0C00-000000006002}8361012C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.171{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-259B-629F-1006-000000006002}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000265420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.171{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-259B-629F-1006-000000006002}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000265419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.172{2E1864BB-259B-629F-1006-000000006002}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:00.987{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7932C89C8413213FA581D679069718C,SHA256=E17FDBB9F93D5171E69CB2B7EBA4C3E3B7FF17A204C4430B288B68C43EF17ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:00.796{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB29C126FBEAA3658D92AED18BAA9BD,SHA256=F0FE27E1B62EC6C26B083887FE72194BAF727B8D1CBB51D5C3C5EC1154340AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:00.749{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=000B2B0FD0C2C473827E533F6CA20ABE,SHA256=B5D1978E2E07FC6F9AEE9C4713F9FB1CE096B4F08CA52CFB817EC9D7AEA20128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:01.781{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C9867FB8F1FABC7A01B1039A9A517B,SHA256=1849743A8B471B10BDF667262CDB40B4D98A459E2BEC0522FF9ADE0F7C2149E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:02.874{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4F069925063DCE4B638DDF9F47A4FC,SHA256=8211EB47C1F45CEF3EC93FE0F1B7883071DFAD2BD64A8E97D76F05B38D886487,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:16:59.631{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58794-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:02.081{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E9EAB281C9C82F07B8FCB3AA0DBDD9,SHA256=BB3429169EC77A4338C49F672C38E331B1068C84DB128711BB6A587435D17204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:03.968{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B70B1EC7D30A3224FFE000872A38BF,SHA256=1D5C5AEDC88B21C773AF0359B9CEBC27B310C542F6F3ADE81F17B4BC292E2479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:03.174{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3B137B4AE6C2D164D1F3E7352F9A1C,SHA256=C11EC5E46C76A6C073F4AC888087B6658BB2A42106801F4ACB93CE6669DDD1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:03.077{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1ED29BE6EE4489DAB4CB6878DB85B851,SHA256=9A1E0DC22C706D6175DA358D312F4B69453E147EAD4A754A4EA139A3762FA85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:04.378{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3B7E7C8DBA71061C6F16058CE5BE99,SHA256=B8485FF94DC9BB3D92E8255B8D8C6195BD816326B3C59EDEC11B0A4578394214,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:01.687{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51740-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:05.690{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4669AE8826AE9A2D56E0E3EC08A3E8,SHA256=A0FB42674CD74B05D619A22C3677DE0927EE0746076A45325E121C22D63B2124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:05.062{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6A5484C817E69E47CFB8C893F7B792,SHA256=D3CEE0A0D7BD2F28DECD164A2820ABFF85344CCB1D7658243B992B8F370702E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:06.784{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DE2CCFD48CD59ABB28837FFD85F8CC,SHA256=83A0136817C18AF9F7F325BD8E0797A41710A072254A6DA6DD2C075C17540E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:06.156{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F296268B0273A981E4A2F263D60CB205,SHA256=F9145179617F6ABF8449CCF897F534944C8B840F76D2101263C926DBC9B5798B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:07.878{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB09358093E11F00C0D3D82E7175CC85,SHA256=A6D7EEC5FC3D358B3135C8848262D221519BEEFA57D26623A3919D906FD6AA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:05.537{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58795-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:07.249{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F11F30267601ECE6EEB503F0FC814DF,SHA256=3A3DA8E9F71A3A36D6C67308DEFD4F77DB3CF4C28914345CB2C9C224EFFF0056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:08.343{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D670D0960A2B5E0673088D427705E0A2,SHA256=B88425B22BE51E1CB4675386BD774CA7FCA06C298C54ED6DBB8BDC09E3810154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:09.437{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4755A325AA858B72E8CFC5B5706476,SHA256=E147CB5CCDD1959F4D17BDAAD9142D7A9D9F6521295BD70904FCB897035A0A36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:06.765{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal51741-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:09.190{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718B98449697A4F1CB137680999DDA7F,SHA256=112A71AFD54AE376BE6DD65D2C5F3AFE46AE07EE75E096292C40F1F0A1920CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:10.393{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3C56585BFF66AD4D84466EA86EA901,SHA256=D049BD7B45CFDA546EA3E89C7B5E4D85034CFB2D4D08C8563E66E4F204DC66CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:10.531{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DC00B7857E67278CA54419A26BD6A7,SHA256=CDC4B2FC7F9FB5F43BDA7DBAF1831E3287E9022A61C3983B95FBB97F83FCD4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:11.624{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C178F0279C9A999DA405578B4DA93DBE,SHA256=5715189555B9C241F7F68322FD85C39C8145B010FC8E5D774A54AC1EAE11285E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:11.706{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BA70D415427585685C2B88792DD5EF,SHA256=F8AE9AAA72DC987CBE18BAED80A60BFE0CB82DEEAB1FD9D66B295189B4295D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 10:17:12.718{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5E09625B29F5E489BFF46DF26AA3D8,SHA256=D3C94AA6EA800C2EFF2939AB2365589388DC13C835CA6F71164809D8F1CB4673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:12.799{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FEA8481CA186142DAB2576185724E00,SHA256=307DDFC84B13224A93FDF6D6A1CBCC6519AA8ED204142A54EB0957CD0BBAF2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 10:17:13.893{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B36132C16D5E00CD6CEBDD63CE18E5,SHA256=0292B643A93A85D16F62784B0BFDBE45513429BCDF0D44967B87F75DF30B6CF0,IMPHASH=00000000000000000000000000000000falsetrue