23542300x8000000000000000252620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:18.779{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010A113865B6A9A87F7365D80D1FF682,SHA256=4F2F3C396C6AF1A0AA9162C7E46D81E6B45BC614FF35BD540E0181134C43385B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070804Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:18.096{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3971684F6519A6696D7A1BB6DBB4A619,SHA256=EA57663798C6A0C111837CBE532F90AD3D2D0657A4FB139A1B7B86ED7C675905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:19.873{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1791CAAF5CE0D6FC43A9A805B0758B,SHA256=C6C60BFA87A20F0C380D0B386BB7F9908C2140FFAE489F6642808FC43FE5A09E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070806Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:17.891{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070805Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:19.409{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A9C39E429191A7570D6C0C7684C074,SHA256=C0E6A6FDD3E2D79F5636AF7AE0E76A5B1591C63E247F77C7F327C85A10E4DF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:20.967{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03B6B59F55B6ADF6C5E5F68BE6BF804,SHA256=4515A9723D0ACF97B5B92CF962FF7396E98EC15E4E7A0BA5CB1011CC19B07370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070807Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:20.612{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A300BF759EE75BE86F78751CE7CBD2E,SHA256=7553E3EF6EEEE3C61CF1A2B662657C86BBBC4AFF97F8825F7BD2C26A999D45D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:20.279{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29A059386406E0CD11AF522D11B9ED92,SHA256=AB01CE72C0664D5F1BC5D5D1B0F4669273E7BAFAC7C1167F47A18A358E42CD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070808Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:21.706{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9AC32B87C15A55E5A4A4F9B12E2DAB,SHA256=2E16926C5127CA498F51240E9FAF65C363353AE3DB7E16700E1691FA144B4444,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:19.748{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070809Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:22.800{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3AF6A6F96061F0093336ADC4AD889F,SHA256=14DEE881AD285A347AC5AC98FB266BCCAA96435471011F1081DF29822E988064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:22.060{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BEEE1111A203FDB1CFD1F8EACB8869,SHA256=C27005ABAB0C59136F04D56E6E5DF6CD70CBDFF5D57B9B915A3F4209DE1DB986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070810Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:23.893{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59908EE3B9F88FDAF25D2E36A0BD6269,SHA256=35352B8A5E31E9E7CEB295A2E2F693D7F4BA858178FAE271558EDA04892D884B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:23.154{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D209353FEB141D3B6E80A4BDA279B473,SHA256=EE8E342913BBEF7D7D771916673198A23D0D756377F90E071DB1024DC97C49AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:24.248{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2DE88EB2957F5071122E477B90945F,SHA256=E42EDCD2D9AA24CBE2710181C033912C3569B75F3F072309FA54064B6866DB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070811Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:25.096{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01290639A9391AF89739A82590B941AC,SHA256=172E9EE79CAE0ACBCFB00177CEDA5C9657DBB60686D19BC28AE0222757FD010C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:25.342{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C56F60671B03D2593A1EB3219AA8A4,SHA256=6432D5BDD7FC4DC8A029E833C1B674CDC98D2671B92E674FBC0B954F52DB5826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:26.435{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD21AF91A883744F246BC11A42F567F,SHA256=FBC30E66A82AB9AD79B1EA482458524CFDDE460B59B64C7CA743B0ECEA466C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070827Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.753{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070826Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1422-629F-5C03-000000006102}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070825Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070824Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070823Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070822Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070821Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070820Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070819Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070818Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070817Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070816Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-1422-629F-5C03-000000006102}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070815Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.487{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1422-629F-5C03-000000006102}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070814Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.488{0A5DF930-1422-629F-5C03-000000006102}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000070813Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:23.907{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070812Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.300{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300D73358E075D0AA98275402A8180FE,SHA256=55BB612799D4D18DC4EB51B6B3E56FE9A471B34F5A641D9C1F495C9F79714EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:27.529{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9527730C146EA3DABFCE60DFDE502332,SHA256=A2F146448A4008B352A9C5D9969E8BB27451F4ACF74826BAF1D85D0921F7C5B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:25.670{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070856Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.581{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A73D9202AF116FCD9255C63E3D00A8,SHA256=CB49B1F6E09BAA27BFC904D58D9072980E68037A073EE282FF5A7560B61B1E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070855Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABFC998BE2FA7F9187D81BCE3799D23,SHA256=5DB1D858F7ED5C411EB10032CB5074C3F532A8A6A81991962DD69DB2961D08B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070854Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1423-629F-5E03-000000006102}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070853Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070852Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070851Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070850Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070849Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070848Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070847Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070846Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070845Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070844Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-1423-629F-5E03-000000006102}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070843Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.534{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1423-629F-5E03-000000006102}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070842Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.535{0A5DF930-1423-629F-5E03-000000006102}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000070841Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.253{0A5DF930-1423-629F-5D03-000000006102}3540380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070840Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1423-629F-5D03-000000006102}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070839Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070838Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070837Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070836Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070835Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070834Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070833Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070832Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070831Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070830Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-1423-629F-5D03-000000006102}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070829Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.018{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1423-629F-5D03-000000006102}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070828Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:27.019{0A5DF930-1423-629F-5D03-000000006102}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000252632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:28.513{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C29861C702A7ACB5A5F2A0779EA5521,SHA256=4A6313987012B2881D81FE81D407DBAB97478336198CDD69222F425B73C74B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070858Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:28.690{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B98E01903E0DE8AD3DF18675E405DC0,SHA256=C729F265333764D6019946E9575593D47DE052120C8C490FB75CA04ADAF60B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070857Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:28.612{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAD3D246600CA6137A48DD6C8C2D9E4,SHA256=70C6148F07D3F08AD1EFF2DFF43B58587E4FB225A577349C0AB6042194CEAFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070888Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.878{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532874E4896031A0AEE2F01AF4963090,SHA256=B5663B25A3109C303393B29D9BE4AF300C2CE830B0C4A6C716C3E5D642E50AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070887Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.800{0A5DF930-1425-629F-6003-000000006102}8321956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:29.607{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0105DFB6591DBD7BF614CC2251646C78,SHA256=9E5A49C9EE5D1D96CA1EC70D01673F14741BBA7346D5B3F62980F5A4746CA2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070886Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1425-629F-6003-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070885Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070884Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070883Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070882Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070881Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070880Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070879Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070878Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070877Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070876Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-1425-629F-6003-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070875Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.565{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1425-629F-6003-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070874Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.566{0A5DF930-1425-629F-6003-000000006102}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000070873Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.301{0A5DF930-1425-629F-5F03-000000006102}3484980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070872Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1425-629F-5F03-000000006102}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070871Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070870Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070869Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070868Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070867Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070866Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070865Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070864Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070863Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070862Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-1425-629F-5F03-000000006102}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070861Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.065{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1425-629F-5F03-000000006102}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070860Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.066{0A5DF930-1425-629F-5F03-000000006102}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000070859Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:26.423{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000070903Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.940{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BCB6B51A5829822EF27513AC5DBD6A,SHA256=1201AD7DD2477113E9F6CAF6D307BAC65537C390FE8D35CB6A24C18C67D92DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:30.701{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA76D85A439045C99BCC09CD68AF165,SHA256=7C6AB3E490C92511E8FE28F45611C5CD85727545B27B003A0C9818D21C740F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:30.670{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A71E2A0D075AD2B70E3B180010B2C222,SHA256=A8B6A3FC269BDED556CF46718E3F3E08E5054E339D3B64F9D68FC3A9E544C11A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070902Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.300{0A5DF930-1426-629F-6103-000000006102}25044016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070901Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1426-629F-6103-000000006102}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070900Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070899Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070898Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070897Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070896Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070895Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070894Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070893Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070892Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070891Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1426-629F-6103-000000006102}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070890Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.081{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1426-629F-6103-000000006102}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070889Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:30.082{0A5DF930-1426-629F-6103-000000006102}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000252634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:30.326{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=285E873095719A2BA3DEFEEAE950A3EA,SHA256=9B4BC534AC7193DCDFF20E548BB0E7290E626013899B4E0D475C0EE02CC185E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:31.795{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B80366121F6708436A7B580B5D4ADB,SHA256=4CAC2A1A0BA6D249F42370ED277ADCFA16E1FE4806CCF82A674ABB5A9295B9A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:29.107{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54722-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:29.107{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54722-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000252640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:32.904{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB95BAC40C4B4C8CB0B09863D2F8D6E,SHA256=D792124C0D8779591EAC04A4ADE821E4E15BB5605F7B68BAE1283605A1D83E4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070918Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1428-629F-6203-000000006102}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070917Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070916Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070915Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070914Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070913Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070912Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070911Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070910Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070909Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070908Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1428-629F-6203-000000006102}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070907Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.862{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1428-629F-6203-000000006102}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070906Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.863{0A5DF930-1428-629F-6203-000000006102}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000070905Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:29.688{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070904Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:32.034{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DA24625C3031C065F80EA991F6FC5C,SHA256=9A037789FAB637C41A8AFC7112E5E0E846068B17F3D2AC7D894064DFD50425EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070920Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:33.925{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71A29030FBE4B3E564B5910C19083B0,SHA256=1722EC615C2887D6A4243BCF9DD4CAC7F4F2426094191725D6D7C6BF4D40E2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070919Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:33.128{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199FF41B65A56BCB44CC292F85EC5F53,SHA256=A802089E719E96A648FABCFB914FE7941BD4730D6DA271C12A5F5AE5799ACB1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:31.607{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54723-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070921Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:34.224{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C7BF4B215F02232C75AD1FEA0BC812,SHA256=3C48FC1A4E9371B1122A687C605DFDBB43C5CD9862CF5C9EAC25DE09BD85F4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:33.998{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B2819222A66947079F1A79EBB04095,SHA256=A21F16F470EB39E1C005F63A9F372EFD2DA7B1439837656A37A685572E588B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070922Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:35.317{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1D379297AD683F8D4FFEEBFAC676AE,SHA256=A4CAE4B9BD2B8855FFB59FEF7BD2D0A335A67576EBF2DCC5D2762C465A4AA047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:35.092{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A053F5A40B526809D0F3E68574BA0C61,SHA256=8423FCFA719F1B582D5702C526B6366A41CBBD9F24676FCAEA0AD958E443EA30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070923Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:36.411{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7BC69DEC2C300D2D1950DF50DB3D82,SHA256=B7C635F541A0735782C0D225DAAAAA43BC663A1594418F55E528450ADC95BCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:36.201{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3407260FD4A100D446510E85DCBF9FD6,SHA256=F7EEE0EFA0F67445B92020F64986FA6293BFF70F5B9B3427B93E6665EA554B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070925Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:37.614{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F0377E6364EAA6E1E7012BC478F18C,SHA256=8D6B53E23A1ED554CB72A4737065355E97DD65AF7B3EF647A82E2909196C405D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:37.295{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B266AD585F66C6A88EB05F5607C11A79,SHA256=3F8B111A654CD7E9C5B040C89F5D5767AE1098ABF821F0738BFF51A35A89E53D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070924Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:34.799{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50867-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070926Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:38.817{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41338F4AC1A4E365B4B8993EC59E6262,SHA256=D3C73F4C843F3FBDA5E5252F26FFA1BDE6A19994F29A71E887725D20CEE83661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:38.388{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D7749ACCA16418B905E9430E3BFA4C,SHA256=61FA8E524C38790728B9275602BE4A706B8887CFE803F95C7C8F9DDAB4B86409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:39.482{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1437FD549D47C9563F9FD8168CED5A8B,SHA256=904F8A71FF02385EB17FC49556E2B022B61C718A3497B1D27AF16909F008B358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:40.967{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:40.576{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA72486875321ACDF23126C2500E32A7,SHA256=12EF47480DFEE47A2172AEDD8F898C9929D1182635284BAFFB25D46EAB820054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070927Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:40.130{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD197789C1C6BDA7148B6CBFF31B1A7,SHA256=2F34B8C297D0BF834A543B7CF6B6925F1715DFD6E2528B9F20BA0028ADBA1569,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:37.560{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:41.685{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C3A0F359B570BB497C3A8D5E8CCE94,SHA256=0CA3CEAB347C4A746B11CBB8E6ABF446F91FD01B225E030BC8B9F67BCD02C821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070928Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:41.333{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6A76A527FE65B835D2F58702D51868,SHA256=28791EE23C567231F1E70C37AAFBD67BF416701BC8F66FDDAF39CBF3A02E0864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:42.795{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C263B2589D41053F6FED718BCDEF6A,SHA256=A3B151D4F3862084B3CB4E6530A46B0DDDCED72126F7DCC4627CC2F92EE97A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070930Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:42.427{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979594997393483EDB24392FF00F3346,SHA256=25FE22A26259D5D90E2FDEA2D4B4EAC7A10E4C5935760F11ABA313D974C87FB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070929Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:39.877{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070932Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:43.727{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-096MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070931Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:43.522{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5028879DEA7D7F3A33E3F267BAFD6433,SHA256=CC930C5FC64DB6999D41DE2987031C81AC91D5DABBA07C9C329E0E3C4BF2A008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:43.904{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71C9752A273E5864722DB529FF9A7C6,SHA256=2296323CC1B01C2BCD877573FE99D164A28F7D8C2ADFFFACE20F6D8F9AE29943,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:40.466{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000252655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:42.670{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070934Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:44.740{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-097MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070933Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:44.708{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF4063DC17A13239378FEF1ABA05BFB,SHA256=6A89D8B621CB948AF76621E8ABD556C58C1A9667FA29F13B3E59991C199317BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070935Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:45.802{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5184D7F8CDB04C5A1634DC657813EFB2,SHA256=30E57FC13AB17EB32CB8196406118A3C759DAF892524A49E71BDD5B861294F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:45.015{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF008D016F526A833F655FFB4CFF9C94,SHA256=C79BC48BACCF6860F0A1E4A170A52E13607A1A22DC097BEED4FF93866FA3574C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070936Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:46.896{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBAB302E730BEB7C9915774E08C2A4A6,SHA256=B31E8A19B073E74BBAA5AABF34DFFB9DFCD8C079AECDE61464BE56B0746D0CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:46.205{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-097MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:46.107{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2D0A74D36A19364EB5FBFCED0D1426,SHA256=498EC4A4CAF3319B95A479F710CECA42124A5D95DB0B6D5D9B1957C89DBD1409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:47.206{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:47.189{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4701C8AB5517F4777954ABD6C635B5B,SHA256=2E2DABFB6F64486B8049E991EC5131FE73152DDB4759D6EC020C74392D94A324,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070938Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:45.894{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070937Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:48.209{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46017F8A304D2A7CD4A7AD78E5B3972,SHA256=AD9637D8023285C17CFB4C5015429FA491B3F9F4898044D667EA9B1F1011C863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:48.285{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9482AA64B8B1B6C1F737C994F40AFB,SHA256=F0509C54ADEE54666A85897C928B51E39850971B7B661ED886FAE87F066AB16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070939Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:49.303{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6659C9710071136F6DF1F9C0C6AB99,SHA256=89801DDD7F330E769BB10B5DAF4FFBB33A14942015FFAC365FF3BBFA83FAAAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:49.379{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C20B8BACC4590DBF714A733171B8CA3,SHA256=B533E820F9E15C241FF2E8D4598BFA83AB85076C3BFE63FEB0779AB79345F8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070940Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:50.396{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7CE82B03C981E7D001C0C2C6DCA616,SHA256=0A5F02D0B73876DC88F14A88267EF43E1CB08749935D670F1D4D29E2696C34D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.941{2E1864BB-FC96-629E-0B00-000000006002}628368C:\Windows\system32\lsass.exe{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.941{2E1864BB-FC96-629E-0B00-000000006002}6284108C:\Windows\system32\lsass.exe{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.472{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7ED8CF81FB7E47632579AB8F2EA12C,SHA256=7B00E49C1931F27CC2D53B34C58F171A5BC5BBBB68C6DD8FF42156E3764E303F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:47.691{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070941Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:51.490{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4928DE59D63E43061932EACB35DF023,SHA256=21BE055F5F8BC4CF1D93F664C8512C80B15EDD5F8A913EBFBD54E23CF619A07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:51.566{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F388139C803251BBED321A8D240E8F,SHA256=0632D3127831D29E40DFF0838E97290B2A414AEC030A0C729AD4D79CE23D25A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:51.050{2E1864BB-FC96-629E-0B00-000000006002}628368C:\Windows\system32\lsass.exe{2E1864BB-FC7A-629E-0100-000000006002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+976d2|C:\Windows\system32\kerberos.DLL+79b14|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000070942Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:52.584{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A4A5F652BA3DF506D8BD3A82B0DE58,SHA256=D2A966F4CBFE1F6EB74352A0A69CF22A907A91617D5535A6A8154E17669CB9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:52.660{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE25B567373C3782111C206A826418A,SHA256=B860CCA3ADD7C255B75F7DE40D94447BB8854102934CF9BFFDED26F433EC8C69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.570{2E1864BB-FC7A-629E-0100-000000006002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54730-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000252674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.570{2E1864BB-FC7A-629E-0100-000000006002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54730-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000252673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.468{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54729-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.468{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54729-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.460{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54728-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:50.460{2E1864BB-FC99-629E-1600-000000006002}1320C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54728-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000252669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:52.004{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F81A06D06E983C500BAE60DB8CBBBD4,SHA256=6B9D77097A52212BCD199B289ED5D76CB64E53CE511879BBF54303A57DB9AA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070943Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:53.896{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1A097236962F100F5C41C5552A51C8,SHA256=A9859970D6E098B2A822B29751FCDBBC58EF88934FC1E43185089568EC36FB39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:53.754{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FFFC8AB9C0F08E2BF69D18C03AA85F,SHA256=7105D0E23B3551CD299AD4817ACBE74E007355C53382F940284CD9699F97A8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070945Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:54.989{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6A11608FA9FCDA3C4B959FF3EB6736,SHA256=AF665D86866B38AB071138DC5D99E3180B4543E21C75735EB5FDCFAB8D043DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:54.847{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFA5B4D8DEEECCCC4C77BA965BEABA1,SHA256=06BC24AE71F46152DDA338697B43F81E2F3307BB083A32710F8B0FE1BA44BA41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070944Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:51.925{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:55.941{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91663D4BA201B3F466EDC876C88F353,SHA256=A93DE2D7B8CF110A07F4FF604E872AD6493B8BB19004389FDDCC113C9E6797A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070946Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:56.192{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE12A3E56237AEE0B5C8BDA2869C37E,SHA256=E574DF9E17B0F1B7AEE688E07786ABECAE6577D9FF8763DE6C6DFB3FE42EF4CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.972{2E1864BB-1440-629F-DF03-000000006002}10202440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.785{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1440-629F-DF03-000000006002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.785{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.785{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.785{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.785{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.785{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-1440-629F-DF03-000000006002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.785{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1440-629F-DF03-000000006002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.786{2E1864BB-1440-629F-DF03-000000006002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000252689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.550{2E1864BB-1440-629F-DE03-000000006002}21841588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000252688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:53.613{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000252687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.285{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1440-629F-DE03-000000006002}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.285{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.285{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.285{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.285{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.285{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-1440-629F-DE03-000000006002}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.285{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1440-629F-DE03-000000006002}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:56.286{2E1864BB-1440-629F-DE03-000000006002}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070948Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:57.926{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=37E7EC61335836E3FCF37D63CB85D312,SHA256=E7C18CB0C507158DA8ADCEB96726139FD40A3ADA93BEBFA7FC81B97A7D990C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070947Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:57.395{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A267E358898E89328DE7631865645B,SHA256=96338AE8727B6CEE731565ABC8054B96CFBA80A956A024ECFEA83892DEDFCA71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.941{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1441-629F-E103-000000006002}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.941{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.941{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.941{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.941{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.941{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-1441-629F-E103-000000006002}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.941{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1441-629F-E103-000000006002}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.942{2E1864BB-1441-629F-E103-000000006002}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000252713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:02:57.582{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\76F93978-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_76F93978-0000-0000-0000-100000000000.XML 13241300x8000000000000000252712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:02:57.582{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Config SourceDWORD (0x00000001) 13241300x8000000000000000252711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:02:57.582{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_634CD7B3-42FA-429E-8949-85C1FE2E997C.XML 10341000x8000000000000000252710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.566{2E1864BB-FC96-629E-0B00-000000006002}6282648C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.566{2E1864BB-FC96-629E-0B00-000000006002}6282648C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.441{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1441-629F-E003-000000006002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.441{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.441{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.441{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.441{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.441{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-1441-629F-E003-000000006002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.441{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1441-629F-E003-000000006002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.442{2E1864BB-1441-629F-E003-000000006002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000252700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.363{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5392E1EFF9A9DD8FB3BFA08630A16B44,SHA256=34A97EAB9C266BA50E10438525A5188D28B0FE49D147A89857685E80BCEEB68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.144{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E253497E2474E08C71C7E402EC71EB49,SHA256=9C7C1B9D556846D6C33CD57FC6CD49C2436A58C325FF0F9A683FDD3226805D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070949Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:58.489{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304C97E7B3A9061DBAA792F300741D37,SHA256=3AFBB741F7839EF513E4F5A509C63392C9F7656815BA9D4E4200F1B830E97EF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.582{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1442-629F-E203-000000006002}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.582{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-1442-629F-E203-000000006002}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.582{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.582{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1442-629F-E203-000000006002}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.582{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.582{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.582{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.589{2E1864BB-1442-629F-E203-000000006002}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000252733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.425{2E1864BB-FC96-629E-0B00-000000006002}6282648C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.425{2E1864BB-FC96-629E-0B00-000000006002}6282648C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.425{2E1864BB-FC96-629E-0B00-000000006002}6282648C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.363{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.363{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.363{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.347{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.347{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.347{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.347{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.254{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D70C74B94238904C3246756EF198794,SHA256=5D58005C6EAEB07B181A30A79964083F27FB004777A0E2284A079039F0B222AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.144{2E1864BB-1441-629F-E103-000000006002}46803812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070950Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:59.582{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5251A52718A5BE63666BBBB97C9FFD,SHA256=9ABF1F1229E2C1A6C338B82453A82DB98FD06B84DE263CF554D24ADFD8B92B7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.925{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1443-629F-E403-000000006002}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.925{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.925{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.925{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.925{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.925{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-1443-629F-E403-000000006002}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.925{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1443-629F-E403-000000006002}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.926{2E1864BB-1443-629F-E403-000000006002}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000252758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.457{2E1864BB-1443-629F-E303-000000006002}60161620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000252757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.086{2E1864BB-FC99-629E-0D00-000000006002}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54732-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000252756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.086{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54732-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 10341000x8000000000000000252755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.441{2E1864BB-FC96-629E-0B00-000000006002}6282648C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.441{2E1864BB-FC96-629E-0B00-000000006002}6282648C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.347{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF7DC60E899D1E22F1D7BD5E4A8E048,SHA256=48E7094EAB3745DD7DC716781B5211E22CBF707937553E4F8AD55E76F2EBAE03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.269{2E1864BB-FC96-629E-0B00-000000006002}628680C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.269{2E1864BB-FC96-629E-0B00-000000006002}628680C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.269{2E1864BB-FC96-629E-0B00-000000006002}628680C:\Windows\system32\lsass.exe{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1443-629F-E303-000000006002}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-1443-629F-E303-000000006002}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1443-629F-E303-000000006002}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.254{2E1864BB-1443-629F-E303-000000006002}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070952Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:00.785{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4920498D5087364423E323B3F89A3FB2,SHA256=465B192BD5B57CB04EBB948C95EC834ED562A04DDFCE70F9C2CA7CAC225E4A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070951Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:02:57.798{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:00.566{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8F2B491D8F6BD6EB4777C775CBD7C6EB,SHA256=3BEFA50A6FE0AE13F930BD8086F4606BD0EC80216C8408BAF7122222ED83EF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.784{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54734-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:58.784{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54734-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.940{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54733-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:57.940{2E1864BB-FCA7-629E-3300-000000006002}1296C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54733-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000252767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:00.347{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9556AD8ED296DFC28D1945BEF40A34,SHA256=90740828EE29DA2927C57CB65DCC1ADD6CADD549E9BB0FBDD9A6367BF584B732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070953Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:01.879{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA761812DB5774E740117EE7D71C7489,SHA256=E9A850AF850CE1BA2E62CFDC7E51D96DB37791B358174C648A561CAE915961E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:01.457{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BADA43110FA9E9BECF9C3F93BA5A018,SHA256=1C3AD141D1817311A5AFF07AC0E3E6D184E161D488D22D443F105851C4CB337A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:02.957{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02DC6F85ABF7B8CC5C5E704E34C10C7B,SHA256=2C68DF52ACC7871D8A6249D2689F42B38726714010DB60506BD86594F93A5C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:02.629{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BBE456F1B8036F51CB4C26A2C33C9A59,SHA256=351CB9679CDBA13D67AB0360C0AD3081D178E2BB5F31C760DAEC1F6A81068B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:02:59.550{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:02.550{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9221B2ECFF218FA25801EFFC25389282,SHA256=927949AFA5F16F08E5614226B2C8C07C30144BD4678FB43FF86A88D0130FD5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:03.644{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6BE9F0F91C2A0EE93BC388E48E3164,SHA256=03F341A61B5B75C604C3DD1633C3E64E1A8DEA23CB2E47AC266DC4017E883C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070954Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:03.207{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2241E55F2373711C8EE173CAD9D0E12,SHA256=7DD5DA779C7B379AD2D8681B023E4FE77009627BD2D6C4B828758F073282E634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070955Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:04.301{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50041BFB5AB91D9B56AD12AE6F25D61,SHA256=F7319EDDB05D4B59A80DEE075D289BAFEEEFCBB816778DD1220339256A3DBDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:04.738{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081CAFD3908E3B8486E9437DB704F073,SHA256=666C366B30FB959626E6BDF52E3A1266EC797722FDDC6BB7E5D3D12D24F5FE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070956Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:05.614{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB7D7E53B0847329208414620FC3838,SHA256=B795803CB755F7AC883BB8DA2016994611683E78F59421F7EA61CF1996B6674D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:05.832{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1F6FADE9B02906B8457728EFD9F502,SHA256=E91FA7B8901E6E4C93C02F4C01459433B4AC425DD8493F0FCC2975ADF10AA8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070958Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:06.926{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E533D1C61C32BF2968A3756FE3738D5,SHA256=C16BB56C8D41930262FF8069200855A2D91E70496AAD92D74CB4502F3B128505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:06.925{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32544E2AFA5EFD2AE895797702309CD0,SHA256=B834DB0ADEB66C0F89AC6C7EE9F41EF06FB801FCE71778C08A080F41E3313409,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070957Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:03.751{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000252781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:04.566{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54736-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070959Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:08.239{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B805D471536A6DE75007DF44C1CD99,SHA256=0D96D4FC5C47E2BBD34F6D0241D430BD898E98E2FCCABFED351399AF56C0A4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:08.019{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724F3A581AF75DB75A9B24C20E16A1B8,SHA256=A719183D13E0D713F7C87D8558B96591DEEF0A20BE7A93C6A625EEC50FDB9E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070960Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:09.332{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD23A20313F14323A0940A38154D21B,SHA256=CFBB45E6373B089811C28C0724F4E2150A9714BDC37414CEEF5EC8ABE29ACC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:09.113{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DF3B5A0B3A6319F8EA6F5CECC210EB,SHA256=914241FBBDEEAC2C2C9DF58A4E734CB8CE225BD0F537D18C838D6673CF16C65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070961Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:10.426{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3700F83151A0FB1E409073916571480D,SHA256=2D007F1BE4471E4B75D74AE784EDD227C860B87BB4BD256A15E74AB3D5FAAC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:10.207{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B658C2F60A9DF80F8A273B43D5A7C1,SHA256=7C3B4D4281270AF7CFD41E66B99065077C52954E4C9E178E53E65F67CFB3C51E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070963Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:09.735{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070962Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:11.520{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC32FE54CFE1013688837F435240E18F,SHA256=C7CE14CC67799AA1FE4F991BC75E9AA63B6AE11BD67A0DE7F486F47734D44F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:11.300{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF4E2451BA19CC782EDA4E26228CD75,SHA256=EE622FF9CD4101DF2DACA65508B81B2DFE756DEB42B679C83373CDB6D0AB0614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070964Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:12.614{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C095860ABE696DF5439E4D57C71433B,SHA256=7931DF6981D1B6B1B6CCE57900B2E6790D45560E9AA73BE3CF2F2D06074F81A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:12.394{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296EA7A36F898D6B732D06123D36D6C9,SHA256=D303E3AC6A900BEC73470651CE2A2B20BE4397E42E38C9D83A44920232F50398,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:09.566{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070965Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:13.707{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C600DB904EA2BF409AAE15F49740E068,SHA256=55F3F017A5EF85327DF3AC7C00841B5CDD543D42F5638AB5A4DD537D0CEA18A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:13.488{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371DDEAF42329AAAE3E9139D0EB24111,SHA256=0F80E33089773EBB320C8B7F4F6626A520552D41DD5CCE95CAFE1190B11064C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070967Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:14.915{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADE7390D6C0E509EADB247B987F6F96,SHA256=24A5A5AB47AB0FD06A371D8F6A6821A68C2080FA4E385E19538797F4E66460CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:14.582{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5885EA365140BC6E8D6E826DD499806A,SHA256=9E23CDC747121401DB9B3E90D3517EB5A3F7722D11DB71AB7254745049511D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070966Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:14.540{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E9B7B2AFB1507B762F0BFA6F6F3CA61,SHA256=531693D8D6E7913636D6E6A875ADBCD6DDE33F6893A129FD6D28C4BDEC12729D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:15.675{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0589A30550075D032230D069F7195E73,SHA256=72CE9D8EC4035301357484C55A862022536036370A4275D64FF8DC54A082373A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:16.769{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDABCA2648332367712EE12C0836189,SHA256=CE9820C8573FF2D2CBC9F2DE76A01ADA601ABB52EBB9CAC86802D29DB59564D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:14.643{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54738-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000070969Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:14.912{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070968Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:16.008{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265C9B999594914FEC2E7CA78F24ADC9,SHA256=1883A894A4FD2EEFB1E5A6F7F3FEC9DA4A5D6095F67F54B866755AB81567EB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:17.863{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039EEE124357EA0721CBB824148C87E3,SHA256=2380245AECA20B745BE1F352B1481A87176DED89ED6FAB5881918617A2C43648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070970Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:17.103{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4531F9E06D4E13936F6AAA52966AAE2,SHA256=D62041FA5F271AEE283163A0300B371B726D2C8ACC84CE615474BD4B06AED07F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:18.957{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA134AA00F3418A8E24AB5B47EAC3EFF,SHA256=BCDE9A9A84E946CE44B37BC6457BAE493288CDA6598A6ADC6E3DBE47624F281A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070971Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:18.416{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967E5A604E3AB07674A22CB2F0A8A35B,SHA256=366E054248A764B610F51E7199F6284A2882B1F9CBA1CDD75B2719393980E88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070972Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:19.621{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A3B23F380EF2689BD1B4D6AFDC6B96,SHA256=EAA6DB917317CD24578A3CA257245C9E9E7DFF1AD60FF343243F4EC6E3B4B87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070973Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:20.713{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057E8C90A36E8D6ED131E322671AACB7,SHA256=F289578D2DC1D3CCAC331B7177833F5F004D43BB3D089C6B35D33739329DE13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:20.050{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A2AEAB3511241B78648D92A5934B00,SHA256=00D93F3CCA30A11C681D13D8E7400741DC2CD30078BFAF6928EC8BA5B1562B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070974Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:21.806{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207F6F65CF9E2CE188D5BA6D2F7A1B56,SHA256=B0723F541227D5BE7DD3791C4E9969B950102B56299520FA5210AEE4AF7E6EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:21.144{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE5FC54443630D0F25E9ED4B3FA3CA0,SHA256=9CECB1D75C390D8268303C12EEC283ABF10B199751555C980CEE1531B15C9C6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:20.628{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:22.238{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4347F5573E4140A6B6BD6FB0209573FB,SHA256=9144BD7330647680DE098E7B2C728A562EC1BD4DAD878484EF79CA3A280F3952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070975Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:20.819{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000070976Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:23.119{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A856134ECF1E0FE2362114D2BEF3F0,SHA256=5B16C3A6A9FA9ABCED3405E12D598AA16190A37F4508E482CC93B7E87E370122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:23.332{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C2DB74FC6A0AFA7F4AE97B262A0C3B,SHA256=E3F64BF0143C8B576BEDF838069A8E899AD7CD917F790D4BC08F58767CDCBB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:24.425{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B4B683DB6A58C6A5BF93B9F4CF65F7,SHA256=E54807E5597EB85D963BF151692A5A8B7C811E5D3F1829E67EED821D2D75B86A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070977Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:24.322{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8A395710B74478511C4B97CE6C027A,SHA256=B1A6E8366FE01FA64201B6CD5BFC5BB75FC85FB86B1176B2AB4C86A73A59F178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:25.519{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BF437CD00D390EE861DA2A3CE330B6,SHA256=7BE8C43C454A9969D67EC3B124C5708D8301043DC6662DEA278C5B9E93483AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070978Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:25.416{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822C2F7D1C65797AC21487C7D4B8B27B,SHA256=D2DF4B2E3F86D25E08CF7A8A60F1CE761D020C18150686A932B6BC2FB2FD06B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:26.613{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4464282290D916D58820D34891BFD1D,SHA256=76CBCD37514C36F9FED1F15E445840743E626E410673E25E821526E4430C1C27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071003Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071002Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071001Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071000Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070999Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070998Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070997Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070996Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-145E-629F-6403-000000006102}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070995Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-145E-629F-6403-000000006102}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070994Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.995{0A5DF930-145E-629F-6403-000000006102}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070993Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.775{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070992Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.510{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13D4A949C3F8638C9ECC534B69BD657,SHA256=8AD7210F85F800D5BE49BF825C48743F57C3F0010DC4FC3EE94DB0ADD61F67A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070991Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-145E-629F-6303-000000006102}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070990Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070989Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070988Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070987Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070986Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070985Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070984Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070983Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070982Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070981Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-145E-629F-6303-000000006102}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070980Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.494{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-145E-629F-6303-000000006102}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070979Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.495{0A5DF930-145E-629F-6303-000000006102}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000252804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:27.707{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B99CE3EF3159B3E9621CD9B48673EC6,SHA256=7ED43FE427E96901AF791312DBF21918F5F048922F2DBAA2EFA39B882F76B7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071022Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.697{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C693A69A1D31CD7B60EE17A8EC22CE3,SHA256=73D3272EF12799EA65370DFEE8BB99CBEFE68ADC9A3C04C28C58969FAB5C38F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071021Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.635{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5DCF22DFF9078581010922F6A35F41,SHA256=66752106D07714E06DC79E0D66EC0010FC0BB837F48DDC461EC1BBC0A211C0D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071020Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-145F-629F-6503-000000006102}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071019Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071018Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071017Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071016Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071015Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071014Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071013Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071012Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071011Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071010Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-145F-629F-6503-000000006102}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071009Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.494{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-145F-629F-6503-000000006102}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071008Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.495{0A5DF930-145F-629F-6503-000000006102}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071007Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:27.213{0A5DF930-145E-629F-6403-000000006102}27882016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071006Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-145E-629F-6403-000000006102}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071005Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071004Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.994{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:28.800{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F97135CF361748DA507C056EBDBA0AD,SHA256=28CD68A8979CE91DB96D96F4CF61E6A723C2551920A35EC0AAFC4CCC67D99F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071024Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:28.744{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D0A7339F12A856D066B3F8EB754FD0,SHA256=7D5641B837C1C6BEB1A98FF30AFC40877C8BCAD060E77C371FDD8ABAB0072D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071023Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:28.197{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B8E3509F996FA1C124BFF55D13D038C1,SHA256=BFD8810111AEBA81CEFF1C0F7176B652CFC0B6462DE35085CDD7C4AAF7BC203F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071055Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.978{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51507C1C52BDED3100C9B152432E5136,SHA256=E0C9CFF727075B1C559F1E37F48558C5DC0D742ECD6E1986B74801CA36B40F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071054Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.839{0A5DF930-1461-629F-6703-000000006102}3188208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:29.894{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4117CE2AA2188B4924869A8516B9255C,SHA256=19828F4C06E4F3613882613AE234AB5D1224BD9A568BBBBEC5DA8CDCA4FFA3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:29.769{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:29.769{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071053Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1461-629F-6703-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071052Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071051Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071050Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:29.769{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071049Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000252806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:26.628{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54740-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000071048Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071047Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071046Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071045Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071044Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071043Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1461-629F-6703-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071042Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.650{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1461-629F-6703-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071041Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.651{0A5DF930-1461-629F-6703-000000006102}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071040Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.260{0A5DF930-1461-629F-6603-000000006102}39963048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000071039Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.865{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000071038Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:26.443{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000071037Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1461-629F-6603-000000006102}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071036Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071035Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071034Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071033Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071032Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071031Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071030Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071029Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071028Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE0-629E-0C00-000000006102}7203388C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071027Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1461-629F-6603-000000006102}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071026Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.072{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1461-629F-6603-000000006102}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071025Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:29.073{0A5DF930-1461-629F-6603-000000006102}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071070Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.947{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0315750BA27F9CA288E8460D7D8E203F,SHA256=2DAC10FC49A7D4EE7CB44973EAE6466E41E2242E955BF258FD3969C83F2F8B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:30.988{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C6C177CB4AE1930185FD151C6B0AE0,SHA256=F1EDC70A2D1AF307A9825A67FF4397B91880BF4BD44F3C20FB73735ED471B637,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071069Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.385{0A5DF930-1462-629F-6803-000000006102}37601756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071068Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1462-629F-6803-000000006102}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071067Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071066Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071065Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071064Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071063Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071062Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071061Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071060Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071059Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-1462-629F-6803-000000006102}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071058Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071057Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.197{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1462-629F-6803-000000006102}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071056Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:30.198{0A5DF930-1462-629F-6803-000000006102}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000252812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:30.816{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=15A0EB029C6641A3B2DB6910E7CE8499,SHA256=83E716FD29BFA9368D6CE509989C8A9FFC0EA34602CB5105FA6453EAB79A5E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:30.628{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE970987840D162F780A5D9C93EC929,SHA256=B9F28E0C4C534600861775F7462D8FDF6B40EA1B7E041EA1A2D26A3029340499,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:29.112{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54741-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000252814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:29.112{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54741-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 10341000x800000000000000071084Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1464-629F-6903-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071083Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071082Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071081Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071080Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071079Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071078Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071077Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071076Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071075Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071074Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1464-629F-6903-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071073Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1464-629F-6903-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071072Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.885{0A5DF930-1464-629F-6903-000000006102}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071071Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:32.150{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F11027D752BF44BB0EC0C41D77EA9CC,SHA256=09C78FD7A7AD9571F3ECC96A5B1C64A16375F37F663AAACCF1AEC48D93072AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:32.082{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B998676DA41F6AD907CCB043B27D567,SHA256=5639E3ABC02CD678BE173C504A37CDF70D30CAED318802273426B1B46EFAFE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071086Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:33.978{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EABDA677269FB586C7D4D29B22ACC4B3,SHA256=91EAD6DE8ABAEE62545DFA812171A0BD0D8C2351F31723049B2F5A5B1AA9A2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071085Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:33.463{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF52A91A7E3334556320F738A5607C5B,SHA256=7D38222C429DCDFD38639DFFE01EF413C8D9977A892F11F086CEFC1933DC97A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:33.175{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA3501D75A29B6588F807F760B8E817,SHA256=A24E3C1E790698859A7328E01BAAE7841FED41531F4C818CDDF5717B8A166669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071088Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:34.556{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF758D61A7FDBFA6245C28B131FE5C8,SHA256=1AB92D6E561D732C2D04C9D27C3154D709046B4299ADEBF64313C6F4F8A4838E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:34.269{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D1DE4BC5E08C2DE76DDEC2B0B36C9D,SHA256=D1212ABBF0A2F4C9369C3D171183F8EECD34153D86ED12EB5CC4375BD1094E15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071087Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:31.943{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071089Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:35.760{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172A3ADA1CD83EA1137DEADC926575D6,SHA256=2D2DB37AB35AEA5B38E12DB8923FAEFAAF4D2E47A0F0A5CF0188709EA3F836EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:32.674{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:35.363{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F412DF8B2D0DDB41A7324645B701FF9,SHA256=F46541D63A2A4EB5C9BBB738FCE45685EA73178CDC64D9F9E1990D590DA46FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:36.457{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03605B603E61747FD143D95E0DC2E703,SHA256=B3788321DC7CC8DF7AF48A7CF9B8B79446934E6179C6E5C2B49A0C95F500F9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:37.550{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAB7C7033DAA6ED5131D170B0C67B45,SHA256=399E445BE20D1BA418710C5B5AAC0362558F43FDDC679B466C4C8E23DCD0416C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071090Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:37.072{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C59EB925914A9628C284FB857E3AA22,SHA256=4C1C8220328D83425BD9B2D33B0EA43CABC1E79A9490676B62D02B2244D47C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:38.644{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3101B4A0111CF5716B5BFB8976ED4E,SHA256=539F6FF721920B8B79205387BBFE1DC0186B6AB8562BD677263DEB4B06E1617E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071091Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:38.166{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916BB04CB3D886B6687CF8992D3FF9E7,SHA256=E59C405E420DD96F12F07DEDFCFFFBE93F9E69B3C102ADA17F7A2229A09A7982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071092Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:39.478{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0169629C6394D8D4CB2543033AFF99E9,SHA256=1D2E42068558D77A5AC40C653E603E447E4774B62E89BE4761ED402BA3347780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:39.738{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D987CC8CE0CA899F4128306480EA972,SHA256=38B63BC812466D37EF2766E5B06ECB3EB9DFACAE7538757D1AEC28DBA87F716B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071094Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:40.572{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E581EE3A6BE9054BFA3BC80CF4823B,SHA256=FB82CDE173C8701077DF8D24EB817F5914A131EB977FCD034C28AD69BB08EA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:40.988{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:40.832{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1008234167B379B836C2122F8FDC9106,SHA256=9A79ED54F25B96F2E15838C440A171A485BC950BB822ED88AAB7F9070BB1B8A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071093Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:37.882{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000252825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:38.581{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071095Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:41.666{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94228FFAA032A738A75C8E87993D03E,SHA256=4DFB0A0EB9DD2CA20668AAE48DE02BA0311549322420A4C41A57D7CB0DA8E647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:41.925{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40697D33217EC89CC4455077386000BF,SHA256=CBFC1FE85075E10AC0D159E85012A7A632A590EAC0B6CAE1D85C8F590DF02DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071096Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:42.759{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1D3BD35BCE5A16D3024162631A3663,SHA256=4B3794D3CB4154E5A63601DA5FAC36E4AC807FF82C799D9AC5E5951575F3F47B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:40.487{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000252830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:43.019{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E423560EF3D42DA80A552EB0E9C733DB,SHA256=6DB471BACA722C2E23017630A730692D2FDE761A4F424CD0B099E9EDBCBA7367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071097Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:44.072{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288AD135827B35C81E5BC2BC417404D7,SHA256=1203DB8F81FA0C5EB3E37CD5849494DD97F6B2EA6C8D77112B6DD106C6CD38FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:44.113{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC79FF94DC64B3FBC969B572012A137F,SHA256=67380609570F2B144D7A86D2178DDD2686A07E8639E2068B614E3DFDE4481B8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071100Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:43.896{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50880-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071099Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:45.263{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-097MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071098Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:45.166{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF2031F5FA96B46823C3D8383CFA38B,SHA256=F7D4E727982638BE8F19C9C14899A17FECCFD84B1F50DAD5FAC7AC9D5A288209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:45.207{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DCE59FD171DC8F47542B09B155CB00,SHA256=7EBE1AE6DBB0A2FA2DC62692156478338AAA40A79F1DECBAD39492E6A791E9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071102Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:46.363{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD06B5766AF369A94FA265F16110EC0,SHA256=87DE4E563BFFCA6150C3D82405DEFAFBAD65CF97EFE6B8DD312F77653A782052,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:44.596{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54745-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:46.300{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A022981D45DCE779E46C388DA12193F,SHA256=7B266FCDDDAE0EF95F2F911EFC90E7879CD264E433B2D9A36769E8F8A789D3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071101Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:46.273{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071103Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:47.459{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD1B784B454831C5B0EA853C68AA5F3,SHA256=F16E1846A8C99F512B6481B3F8B38E224335EEC8E6BB054BE9CE0C21A0DBBC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:47.726{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-098MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:47.395{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7239617149F14C27E7AD1EDC5C965CF1,SHA256=9EB0E0C09F768353556D45220BD93A83CBFF3053284D30794FC1D53A38B25376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071104Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:48.553{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64642EAB8AB67E6206B8879F7461CDDE,SHA256=810B230D65D3ADDD39753E634C6DD38FF4B31314BC5B6EBE3C9D6764224D9C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:48.740{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:48.504{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81402A3BFAF8200B01A019CC40D7B49,SHA256=9714C972FFF1C5D13509A62B8978D43B0274E98C6BBB3682060F3BB0DF066AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071105Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:49.756{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2642A29996ADFED4B4D3833BB0581002,SHA256=39BBD2854E5F08CBC6CA6D9794FDFC08A35916AB5D8B627B37D78CC205C6D58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:49.584{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC5A34230884498435309C0929DF99F,SHA256=F81D2B7760C2CCA90B8776D9B452431581B519F2E1F524E90D1FCA6DC436114A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071106Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:50.850{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBBA6307A32FCF003A7E8571D6786E7,SHA256=CFB117C8F040B22C533DA26CB36F0FF1DEF3374975FEAFCAD25CC8821DDFBE85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:50.459{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000252878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:49.615{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:51.100{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282E1E835F5C5F441249E7E4A026700E,SHA256=A039FBC5FF8DE26F596665C98E58291E2DCDD5491F68FE8FE8DC5A1245AF9B88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071108Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:49.908{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50881-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071107Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:52.053{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96618884A41274E190013F0FE443B2B,SHA256=97E72A5DE9AE94D69610A3FE4B86017C55ADA7A04083CED33154EF4C18D3F303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:52.225{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B717DCAD5C9A24D10FFADD92F46FA514,SHA256=91E4E543F7F138DC33D6DF6071AC61275F9399F9A9EB90F25CF055ED6F61A692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071109Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:53.256{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623EE55CDC9CFB042EA66D78CBCD9D6F,SHA256=2A2558C3517736D06B824D70B69360F0846C298FA5DFA792D472BAF0D6D8D8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:53.319{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C3C26840C1E02AF41BA6CF87B47D86,SHA256=48CED31422423C15775AA181FD79732B8FCD63E08342ACE9C80A699B9FB34417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071110Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:54.355{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1916AE408269C64F59D19F4CDA732C,SHA256=165AD182DF67B8B253325EFC8ED230C6002CBD770412688E3C2BDE4B6454562F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:54.413{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DD15F4B382BD5D57A00D4CFF3832FE,SHA256=4FAB02095AA4A2136BC9254D8BC086283D4918EB2D9BBCB330FE73FCA57E58F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071111Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:55.558{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9B8AD5545562FF7835052DC91B2C04,SHA256=19A57DF376EAA42C5E12082BBC223C58EC13E81EC5A41B805B604E2FB80B5965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:55.506{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D4E94B3F8C10635D0FA92011B7D4F4,SHA256=9361E7CEFF9B17663745F2791BFF06B059407CFA36898C7DCC055F66CF370606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071112Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:56.652{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2341539C34123A93B79D1BB9CD36F174,SHA256=365D0D20587E7DC5D2629CB76C24331CB1C602FDB428CD63FB38C4519EFF35FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.803{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-147C-629F-E603-000000006002}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.803{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.803{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.803{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.803{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.803{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-147C-629F-E603-000000006002}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.803{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-147C-629F-E603-000000006002}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.804{2E1864BB-147C-629F-E603-000000006002}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000252892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.600{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6028F1591239830F4883631F3D1AB5,SHA256=4C34E0E0B9D522704F401C6F874A69689E2C5DCDFEE74693E7AECB2C6D4B400F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.522{2E1864BB-147C-629F-E503-000000006002}34685944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-147C-629F-E503-000000006002}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-147C-629F-E503-000000006002}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-147C-629F-E503-000000006002}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:56.304{2E1864BB-147C-629F-E503-000000006002}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071113Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:57.746{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A94EFEA82E75D011B61A17C5C8FA83D,SHA256=67EA71D91D396287B6C403D7E993C1DF4C376649445B5FC0217CE9EE80B9D0BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.975{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-147D-629F-E803-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.975{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-147D-629F-E803-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.975{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-147D-629F-E803-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.976{2E1864BB-147D-629F-E803-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000252912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.584{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA672BCA2BB21A43B21947414BD0827,SHA256=8D19FDCB3B5DFBD762530DCDE8CDEF9A34F6A9B2387DB4C3D11F097BEF947A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.413{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8162E47F1867F2E7437887933F54749E,SHA256=D1D9B1BDDBF8A70050ACE8948E08E27E745CA55C8757AE60B48B58666E4A5CBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.303{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-147D-629F-E703-000000006002}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.303{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.303{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.303{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.303{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.303{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-147D-629F-E703-000000006002}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.303{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-147D-629F-E703-000000006002}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.304{2E1864BB-147D-629F-E703-000000006002}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000252902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:54.631{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000252901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:57.038{2E1864BB-147C-629F-E603-000000006002}16485868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000071116Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:58.840{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497B2EDAFE17E6FE5C2A7D935D88EB63,SHA256=156FF18A2CCF141E8B81D16F54EF650E3B9D4D3CDCF94FD42F1D10577B6088A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071115Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:55.882{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50882-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000252938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.975{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-147E-629F-EA03-000000006002}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.975{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.975{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-147E-629F-EA03-000000006002}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.975{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-147E-629F-EA03-000000006002}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.976{2E1864BB-147E-629F-EA03-000000006002}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000252930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.694{2E1864BB-147E-629F-E903-000000006002}19604228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.678{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE7FB82B3F3C438B9CC7773599408A5,SHA256=9A87A0C18D249450FE0A2F9A22D2C84F5B309E4BDBED1FE7BB8402F195027C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071114Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:58.449{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4225226D736B6FB44374C073BA86FDFA,SHA256=3147B25AF47D07C4A0832CAC0B5CB24AAD40E7C1FF6841F4ABF12DBB678A606E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.475{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-147E-629F-E903-000000006002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.475{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.475{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.475{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.475{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.475{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-147E-629F-E903-000000006002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000252922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.476{2E1864BB-147E-629F-E903-000000006002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000252921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:58.475{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-147E-629F-E903-000000006002}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000071117Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:03:59.933{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EE21EEFAB4BB28C0F147EF5DAF3B48,SHA256=C26AA52BC9B3C00C71428F992C36DD368352ED7CEB32345930DF5FDAE249F932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.788{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D74E86C2EA72E81EE9B58476138531,SHA256=4A9FEEF9F75AADF1CBCCE459D3E85C98F7F78E4B170CDD0A98270EF0821BED49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.647{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-147F-629F-EB03-000000006002}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.647{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.647{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.647{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.647{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.647{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-147F-629F-EB03-000000006002}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000252941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.647{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-147F-629F-EB03-000000006002}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000252940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.648{2E1864BB-147F-629F-EB03-000000006002}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000252939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.147{2E1864BB-147E-629F-EA03-000000006002}53004216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.897{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00D0BCB60EE6866C1D92B870F52BDF2,SHA256=82306CD0649C2EBDCF5A21F15E55F5DCF62375B39670F17A4CBEF6B1DECF3BE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.053{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.053{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.053{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.038{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.038{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.038{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:00.038{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:01.991{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC8D02EE8EC75F63A296CDA793F07B0,SHA256=7B1D21E4E3D45450F9C8EC2351E4CF013F24C64AC1FD56E369ED08222E93B609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071118Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:01.246{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FA89B1EA5266BEE2913705B88E1626,SHA256=0FC66D86C00EE98E09085B0BFD4129637F86A0003D3BA5C373DEEF539C2CA756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:01.116{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4CE90D4DA827109710BC5436ECF8FDF1,SHA256=A6B18F55BE5091B00FA33A33CEF48C26ADA72BC2502DF824A66E9A2203A3124E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071119Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:02.449{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A78A59AE7E0553B94B1CEAEA198D38,SHA256=2BC435EE75753AC2675862B54D3E4D2411FDE0BD555363D6F532F38A7226863A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:02.631{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2A1D02BDA0FC36F16A813B3CA66BB743,SHA256=28D3B46F4C5DCE923B1732AA335A070C28E161B5AD2781BFFBCE03CF3730C322,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:03:59.724{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071120Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:03.652{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD643AFB53990DA0DFD19152F12CB27,SHA256=77F1F9C20A67796FDE448ECC28E84C9623CB8083C5DEEA9EF2E2FE130CD9B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:03.084{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC96016FC2C3C4C7B702BD522416213,SHA256=CE4C47BCB4A291A3568ED800E5FE2DDA07864287C829201D5D0C0C647B433E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071122Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:04.855{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A53C3C63E98F2D9E50CD397647D8A4,SHA256=B4718FDE664291183D839359D5A1C1B6AF5503DBE8A4630664070EF9F3238709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:04.178{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94ED42F461241B24682305BC33E012B4,SHA256=6F0E22B57CF0E80DE3B54B9C0599FCCAD8B434CAEC13F3621A1F809EC0C09A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071121Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:01.898{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071123Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:05.949{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA66A44864E29FFF7DF7A452724DCE6,SHA256=9C00067E2872D282D8F37BDB16FB4A9D45500AA2228BD7326E6BF052CF5A5EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:05.272{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE20D1295B7B8981BEDE0500CA568F4,SHA256=51A58786E9DAE4E256AC4D88FD55CFCCB0AB7982F2B3773F92AD367510F78E2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.803{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.803{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.803{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.788{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.788{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.788{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.788{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:06.366{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F68D8AA06A956224444201C4EE13C42,SHA256=4D4BB6019866A6E2ACF6082C2D0AB11EE0098D10E163AAAB9AA5729FCEA2CAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:07.459{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B413DD6FAB56EB563FCF4E85D3D41314,SHA256=DE9D020FDA0DBEC63FCBC3770CE37F71DB810DACF36EDD2FCFF810CB993C601C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071124Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:07.261{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B69771314F216FEB7F9334EC8C45D34,SHA256=89E5DF6A242CC059F20EE75170267BDE34CF0437224C0CCDC2214F8FF89B736C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:05.552{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54749-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.553{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A158774188CE0B6A583B0DE56228E6A,SHA256=D12265AEEE7FB984FFA17D6F61668324D24F2364A8A54F55885D62D7DF71E2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071125Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:08.465{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E4C6D839E2C97444C550173B88F104,SHA256=CB363D3C9FD244CADAB1F2840B58217D26479B7A5C579F6D73459F07BA5E303F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.069{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.069{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.069{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.053{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.053{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.053{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:08.053{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:09.647{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4858EE8B73D43F7B6EDAA0233B1022E,SHA256=48B6F0EAD0FE6948F204697C36322A3946BE72DAAE69AAD7ED00B445E8D44FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071126Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:09.668{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3B1C67841EAE7174457D844756B7FD,SHA256=F85AE9F3A1ECEBD50B31C54BBE6348C305C1A6DE901A445621A405ED309A566A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000252990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.975{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.975{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.975{2E1864BB-FCD7-629E-9400-000000006002}50245928C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.959{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.959{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.959{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.959{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000252983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.741{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC494D90C8F97470B88B564FDCDF91B,SHA256=E41F4599911B4A019CFA598B117FACF7C7881066C323301A63ACABA47C570D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071128Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:10.980{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0CE051DBA927A2A7EFB4223EE5A835,SHA256=06D136791F1955D6BDBD9E6233D5E6BD0F072C8429397C29C0464623CBEA1D3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071127Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:07.726{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:11.834{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BA4AEBAFEA103B1F3339C56DFDC76E,SHA256=61A7793FB867EEF766F820C0A66133F2DD63E99393710B6E101BF958B2C13D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:12.928{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743E6CA844499CEDB00A2D309DCCB42E,SHA256=E11BD9385FD8DEC9F15F70277535D39C366968B079310B6B096475AA38A29105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071129Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:12.074{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60B66150ED7B379C5D70FCE166D9D12,SHA256=4A0AB941715C7CF3A73F9DC06B6B7161862677542D3603DF8C69F67F774FDA25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000252992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:10.568{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071130Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:13.293{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DC5080DC7947F6B09332732F1F9834,SHA256=A5D2887E4E7D1837055824F0A225FB73C21367362B5A42F8D1A5DD687944EDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071132Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:14.548{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A4726C36DB5016206DC3606FDCD8E072,SHA256=CE6446B6134FC4C338E7705A22EBBCE7B4CDE937A2A23F6D2D2BA8D8409F5378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071131Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:14.391{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A547EC5B7E51317E74D5E5E62295BF6F,SHA256=55E1377B5B10B284FBB6CAF8D3F9BA8A9AD15FB31989256F4EF661BFD8699F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:14.022{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEF11BAD4E1B54F142985B7A0D56623,SHA256=D2C13B0BC8CBAE2BDD034BBFE3013240213FF2C0FD9ADD0058F441F3DF5C2346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071134Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:15.594{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD4F87D3B9600E5567483A5E78226FF,SHA256=A5FF3667FC4ABB445420C1AF3AADE60B297CF39A6E8AF18B668BABA66D5B7E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071133Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:12.913{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000252995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:15.116{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0681ADB400067729ED8A6B9C2E8A44,SHA256=30B256C8BD50AD85EEDA68FB219AA019C8C33BF947B62B5F50625A4AC92E62D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071135Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:16.688{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F8093B327807E62586A6063E56A4D5,SHA256=B03BF46A43555A407104A8ED3B1FFC85EC745C7C17DD8CA1EC71599CD4FB0E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:16.209{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAE8DBD05297CC9A39ACDE8CD30B77E,SHA256=380448E4BC83CBD0F280E4A9194C34EB0AA0E160B3DBF7E92FF76943811DCD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071136Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:17.782{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5774C9CBD93D53CD9ABFA16BF8ADA4B9,SHA256=ECCDDFAD49963DD2D525B76BE1A0A53787116F1135581D60173008F024BD6A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000252997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:17.303{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A91069127CDC50A80828147F5EF8DE,SHA256=35DA9A66B7D7C6543A03E4EEDB654AF96A57EC07EA8048566AD8CE24CF420C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071137Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:18.985{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7183535935D698262D2184C0E17FB07,SHA256=2CC0F2FF090A963ADED6F113297D3C74EE9C0B9B959EBFBCD29D23FFA7416ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:18.397{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7B3F8380CE75563E8DDACAE8B1D851,SHA256=1C7D55CFE4244BD785065CDCB665FC5AE0F4E66D5E5E92DA82BAB70D39486901,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:15.630{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000253000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:18.381{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1500-000000006002}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:18.381{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1500-000000006002}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:18.381{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FC99-629E-1500-000000006002}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:19.491{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4839E713B6120448DD1D0B713EFD7B9A,SHA256=7F38D5B72B377089706BC0E30D560DEFFC7C8A85E0276317DE2CD6CE73E2EEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:20.584{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F76CED0726DC78300D3D828BBC15747,SHA256=FA12299D67C28627617646CE1BB861193CCA69AAD91D3E20B7822B5BBA4ADA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071138Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:20.188{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7E6E10AE8DCDB88DA0D69C44E1C489,SHA256=6BFBE92F563F2E6CF6C9142195082D8E69B13999D44A1DB774AEF93A9EEF23B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:21.678{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AFED8313180BF0B0698008D030F6D0,SHA256=FAF7C4DB626B5988DE233D6E94917CBB74AF29F58D6CD58C88885563F1E3FB2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071140Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:18.933{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071139Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:21.282{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4515A2F1BA74C9DEF94E4D4C6AF3F88,SHA256=5AF2AD5214C029F6FB96FFC8A3ECB8521195D72B16C125A79A549B1EB9BD01CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:22.772{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D8344456B5EEE4935477D97AFD9C16,SHA256=F1BA157139A2B3ACDCDFEDCF807C5FABAF9A3AA0448A4A9ABD49C03BB2A015A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071141Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:22.391{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930A86C19078AD179AFC6FE2CFEBE135,SHA256=F2CBFC8CACE24325FE2CA4762913C129498561D8584B326E5B7D6C8D37751193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071142Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:23.485{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BC5BB3E660E301689194EAC9929BB2,SHA256=0B8DEE1B4EF08353D21810DA6D01211FD154CB6AE18DE378FEFE31DBE11AC710,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000253067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 09:04:23.959{2E1864BB-1497-629F-F203-000000006002}1376C:\Windows\system32\reg.exeHKCR\*\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000253066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.959{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1497-629F-F203-000000006002}1376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.959{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.959{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.959{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.959{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.959{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-1497-629F-F203-000000006002}1376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.959{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1497-629F-F203-000000006002}1376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.963{2E1864BB-1497-629F-F203-000000006002}1376C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000253058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.928{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1497-629F-F103-000000006002}4888C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.928{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.928{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.928{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.928{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1497-629F-F103-000000006002}4888C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.928{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.928{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1497-629F-F103-000000006002}4888C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.938{2E1864BB-1497-629F-F103-000000006002}4888C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000253050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.913{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1497-629F-F003-000000006002}4500C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.897{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.897{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.897{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.897{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1497-629F-F003-000000006002}4500C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.897{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.897{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1497-629F-F003-000000006002}4500C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.909{2E1864BB-1497-629F-F003-000000006002}4500C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000253042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.881{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1497-629F-EF03-000000006002}2628C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.881{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.866{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.866{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.866{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.866{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-1497-629F-EF03-000000006002}2628C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.866{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1497-629F-EF03-000000006002}2628C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.879{2E1864BB-1497-629F-EF03-000000006002}2628C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:23.850{2E1864BB-1497-629F-EE03-000000006002}4740C:\Windows\system32\reg.exeHKCR\Drive\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000253033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.850{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1497-629F-EE03-000000006002}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.756{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.756{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.756{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.756{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.756{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1497-629F-EE03-000000006002}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.756{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1497-629F-EE03-000000006002}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.765{2E1864BB-1497-629F-EE03-000000006002}4740C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:23.741{2E1864BB-1497-629F-ED03-000000006002}828C:\Windows\system32\reg.exeHKCR\Directory\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000253024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.725{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1497-629F-ED03-000000006002}828C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.709{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.709{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.709{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.709{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.709{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1497-629F-ED03-000000006002}828C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.709{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1497-629F-ED03-000000006002}828C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.720{2E1864BB-1497-629F-ED03-000000006002}828C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:23.694{2E1864BB-1497-629F-EC03-000000006002}2696C:\Windows\system32\reg.exeHKCR\*\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000253015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.694{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1497-629F-EC03-000000006002}2696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.694{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.694{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.694{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.694{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.694{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1497-629F-EC03-000000006002}2696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.694{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1497-629F-EC03-000000006002}2696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.699{2E1864BB-1497-629F-EC03-000000006002}2696C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\*\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 354300x8000000000000000253007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:20.723{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54752-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.897{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6E5D3380528ED2881B4F0267856362,SHA256=A26D1916BEEC961DF9B24B9F8F5D8B92C2573A3831848C1D211AF4961B2F05B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071143Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:24.594{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FD6562BE434647B321BB9048DEDCCF,SHA256=434D8A00070EA8C3513FADC7157D517489333909BC8BAB05F182DDEDABFAA008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.772{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7F3F9EE8FE960585D28BAE7EAAFE513,SHA256=D4E91D93E4EA6D741D034A1FA738BC75670E2BF8259BD77784CBBD8A80668634,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:22.087{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local53domainfalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local58859- 354300x8000000000000000253097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:22.086{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local63617- 354300x8000000000000000253096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:22.085{2E1864BB-FCA7-629E-2D00-000000006002}2900C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local58859- 23542300x8000000000000000253095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.366{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13CECAF9AA544C70E581D6CD4E5C561,SHA256=EA8FB7C02CE0172D9D7C133C7A2317CB4FE0C0DC800B1C75561174C2464E252E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.350{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF558C4BB010FC338273FA8C1A341AD,SHA256=345DBB3C751076D5DD8E11A595FE15247853882F719932F3FA9C324B45C071D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.053{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1498-629F-F503-000000006002}5604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.038{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.038{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.038{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-1498-629F-F503-000000006002}5604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.038{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.038{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.038{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1498-629F-F503-000000006002}5604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.044{2E1864BB-1498-629F-F503-000000006002}5604C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000253085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 09:04:24.022{2E1864BB-1498-629F-F403-000000006002}4424C:\Windows\system32\reg.exeHKCR\Drive\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000253084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.022{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1498-629F-F403-000000006002}4424C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.006{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.006{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.006{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.006{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.006{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1498-629F-F403-000000006002}4424C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.006{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1498-629F-F403-000000006002}4424C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.017{2E1864BB-1498-629F-F403-000000006002}4424C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000253076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 09:04:24.006{2E1864BB-1498-629F-F303-000000006002}2408C:\Windows\system32\reg.exeHKCR\Directory\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000253075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.991{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1498-629F-F303-000000006002}2408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.991{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.991{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.991{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.991{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.991{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-1498-629F-F303-000000006002}2408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:23.991{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1498-629F-F303-000000006002}2408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:24.000{2E1864BB-1498-629F-F303-000000006002}2408C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000253101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:25.991{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D17FD766A079A1B5B64685DB534480,SHA256=81F203BB03EAA2878CED55FDA1C2E000DAB768AC357E6FE3C2C029862A45F9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071144Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:25.688{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB85FE6EA80F8E7319621AB01F0ACD1,SHA256=2D513B1F898CB29A77E705956C6670C123EC180D1B46C38F93AF2CE53415597B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071159Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.891{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D2E6B8FA9CA27C47BA3CBA23713137,SHA256=4D6B2475E41A1E6C611BE95B6158E00077BEB3B3D00C3B1B0D4490D88FECDCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071158Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.798{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071157Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-149A-629F-6A03-000000006102}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071156Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071155Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071154Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071153Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071152Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071151Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071150Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071149Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071148Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071147Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-149A-629F-6A03-000000006102}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071146Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.516{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-149A-629F-6A03-000000006102}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071145Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.517{0A5DF930-149A-629F-6A03-000000006102}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071191Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.985{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6EE720682D9C17FD8C68B73DAFE548,SHA256=13710E8D8316220B6F242263232D8819B06EB89F2BC9ABEE68C44756FDEA30AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071190Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:26.465{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50888-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000071189Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:24.746{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:27.084{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0BF796D48F352E1A585D1E2D75851B,SHA256=EDBFC4523B4880386FC130A9E2205CE271E1BD59BF5AC301AC46F7A6AD70A9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071188Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.735{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C885094D41168964BD93C23B4BA8A6AD,SHA256=7357BD2291E55C6BDDC56F8BA193416D07F0DAEBBB6783DD98E1EAB296DC147C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071187Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-149B-629F-6C03-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071186Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071185Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071184Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071183Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071182Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071181Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071180Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071179Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071178Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071177Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-149B-629F-6C03-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071176Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.688{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-149B-629F-6C03-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071175Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.689{0A5DF930-149B-629F-6C03-000000006102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071174Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.641{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BE26780FD6F599C2D207DD7869D6A26,SHA256=32D42C35B13523866E9A549B12A40F4833243F3CB51F8A2F11325F5481BA0E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071173Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.204{0A5DF930-149B-629F-6B03-000000006102}33642092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071172Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-149B-629F-6B03-000000006102}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071171Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071170Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071169Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071168Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071167Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071166Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071165Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071164Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071163Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071162Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-149B-629F-6B03-000000006102}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071161Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.016{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-149B-629F-6B03-000000006102}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071160Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:27.017{0A5DF930-149B-629F-6B03-000000006102}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000253104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:26.739{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54753-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:28.178{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACAEC6FF2FA0D9E15510C01DFBA4B47,SHA256=B172441CFF9BD1A12135F14A72BADB432318D2D806CC6E2CC0468D6786D80DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:29.272{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F643154C9A7F7F8A70FE55342C62994,SHA256=9BF47C23CFB600DF438C5720F3E33E6D723260DAB8B0D7F0AB9B11352A97A069,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071220Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.923{0A5DF930-149D-629F-6E03-000000006102}26003920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071219Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-149D-629F-6E03-000000006102}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071218Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071217Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071216Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071215Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071214Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071213Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071212Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071211Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071210Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071209Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-149D-629F-6E03-000000006102}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071208Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.751{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-149D-629F-6E03-000000006102}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071207Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.752{0A5DF930-149D-629F-6E03-000000006102}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071206Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.251{0A5DF930-149D-629F-6D03-000000006102}29683360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000071205Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.097{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE9A9AC2E2E3D6561C28BA38BB5D4D1,SHA256=68EFF3318EE9548301A83DFFA08470BB42E3E2CF3F5CCC391013681ED888DD51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071204Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-149D-629F-6D03-000000006102}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071203Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071202Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071201Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071200Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071199Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071198Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071197Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071196Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071195Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071194Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-149D-629F-6D03-000000006102}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071193Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.079{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-149D-629F-6D03-000000006102}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071192Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.080{0A5DF930-149D-629F-6D03-000000006102}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:30.678{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=023DABB00BD744BB25CEBD7FE98AFD91,SHA256=5A2561D340EBB8C08C0A2E6E71A9E6F4843B321BF7666469D31B81D893D97ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:30.428{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3747BE23E82335D3127030F51A41950E,SHA256=FD14D600739A72EC4278852405353CEC35EA63EA701602CBF377F90315A86119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:30.366{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EF4C58513BF1A663F87E384E4AA54A,SHA256=7408AD9EB16ED075F737FBF9166777BE99357F9561A46F8297DE578BCC19663A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071235Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.469{0A5DF930-149E-629F-6F03-000000006102}32642124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071234Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-149E-629F-6F03-000000006102}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071233Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071232Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071231Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071230Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071229Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071228Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071227Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071226Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071225Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071224Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-149E-629F-6F03-000000006102}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071223Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-149E-629F-6F03-000000006102}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071222Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.269{0A5DF930-149E-629F-6F03-000000006102}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071221Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:30.266{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A8FC3E0973258931D5BCEEB7FEE6FC,SHA256=48DF616FD0DF8E93C192BF31C64339DDD4D396F19D3F1E309C19F23D972CD9FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:29.114{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54754-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000253110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:29.114{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54754-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000253109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:31.459{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D5BFD518C7C20ADB97F900820024B5,SHA256=3C53681917EC23437E1E49CFB9F987584CC4468556641166A1348C1C3B22CDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071236Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:31.313{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96670A1574343C2A906985D70A6C348B,SHA256=E56F5B6DD9648B59EB55B8A92CA3060CCC3B375DE64BD3BF25144E6DF6F3DF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:32.553{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B878B3494AE144C0C9AE1AA7FE94DE2,SHA256=6F7F47D8860B40FFCF02956F0CFE5947D5ECFAD705799FF8A103A91B1297EC48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071251Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14A0-629F-7003-000000006102}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071250Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071249Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071248Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071247Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071246Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071245Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071244Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071243Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071242Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071241Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-14A0-629F-7003-000000006102}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071240Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.907{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14A0-629F-7003-000000006102}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071239Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.908{0A5DF930-14A0-629F-7003-000000006102}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071238Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:32.407{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313772546A4DCE36D921DC46C5B66165,SHA256=B36091B19CC1225F7022473A828DFCC3209184111D1CA60BF4625252BF691CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071237Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:29.793{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50889-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:33.647{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEFEDDE527627DFCB862080326C3999,SHA256=DEDDA757BAD5C74243EE220DB21629A8BA52A38EAB1C3659A7DFE98D439AA679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071252Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:33.501{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D289CA3CC00D5B4EA42DD81F76534E39,SHA256=375165D6863B9D7B06B8B52053E4EA0588E9D0B64624F7843152DF43D453047F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071254Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:34.596{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9870E541F0BE7D1A02AB823945AD75D3,SHA256=383B944436F5CC28803F5D40908BDE51BE2BA21CC02FA5CCE8EB470E201B55B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:34.741{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BA2627F9E9D7F0E33041820F1A46BC,SHA256=10103242AAD0A5E542FFE8E0F98255F072C0C74D8FF2A0E45AE309F88D6E6A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071253Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:34.001{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71B87CCFF1394F2344AE63BA82E71E3,SHA256=DC9B3DBB6EDD5413D58BA6938E3E84E87A4A1F9DCD5D34B99BE661F126DBAB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071255Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:35.800{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D815BFE54E80A31975FF99EBEF9C4D5F,SHA256=9141DDB9B3CCA4AF83DFB1CE31FACD94352FB8C0ECB65533697D538F2969E07C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:32.583{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54755-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:35.834{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F128BFB89BD8064A3B3DD84DEDDCDA82,SHA256=899486DC392C3BAF31AA8954207469387754FAFCE58B2E21C0600ED6EAA2CE42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:36.928{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6FA2EFD0909FFE9A1018DDD2631092,SHA256=8C1994FC6166903A5B4E93FCDD3E41C87C15945CC1B7BBB583893E967C48B3F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071257Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:35.732{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071256Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:37.112{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5DABE17F0F20CDE5F3A5A9D6E76BAD,SHA256=972E253F2D1AD017557A5CEB1643B8E5EF222A2194370550C4E2BB074697F43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071258Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:38.209{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EC786B8F35C5FF3E2AC7D9C9AF80E0,SHA256=87732F2772E2128AFFDF36A44830EF7539E5687BF2321E13C65492E64FB6DC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:38.022{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976A69DA5AC6601711EF5AEB905BB542,SHA256=A641877314767CAC9937C93D3B2127F47E6E687DAF0235340837752333E7E0FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071259Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:39.409{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDCC021E88389336585DAB8951E2B55,SHA256=C0176661C5F3EA297C58ED2EE4ED719E8BF18DBA041E8F88DA8B98F94FAA3289,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:37.661{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54756-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:39.116{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313223313517777626587C6F21F7718E,SHA256=E0DBB0CB2040103221D516CF12D45E67EF32B105A72F944FE95CFCAF4FCDE1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071260Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:40.721{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD72B39EAA51A1817FCFE39A4B143F47,SHA256=943D79980439E57E2A9D49DD5AE6D70F03749275A6E592FF27B3E62986813843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:40.209{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE56B1401E3DEE30EB40ACD4339A5AA8,SHA256=52021DF993D65CDC5F439CB09F74FE93210E445CF571BDCD17E4F3BCB152D9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071261Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:41.925{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A00A13CDE4381D57E93F28234C2DFD8,SHA256=0924585B7E64B4DDB84D94BF21711906B9A4D736590BD453838614889DB72810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:41.819{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1D650F4F8BA2A17BD294A7ED1117CCE,SHA256=8597D3FF4AF85FD8383A38E70284B81C4DF6E2B1A11CA787A59B049DC4E238EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:41.303{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A26A96C6E106FC9B02A84A575FB35E,SHA256=FD860DA97DB3DDBCC0ECB8C4525834EBCA5154E8A37FD8C830EC57AB2B626E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:41.008{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:40.504{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54757-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000253125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:42.506{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA28FE46B0DADFC2E62853CDCCDEA5F,SHA256=AE658A6A8E1D7786A29C61800CD267ED0F6522C1666EA38E3B13C723D2DD886F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071262Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:40.810{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:43.600{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24367DEB76F166DC35BEBAF98B085BE7,SHA256=7CF633DCAE2CB490CE0A4B0A8E20F5AA67BE916F31AE26B4FCF50A9AB990C3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071263Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:43.128{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CF5473819AAA70F38EF3E599FC67A3,SHA256=E0DFDD5E69BB9123AEAB3C2CB99C2D5EBE5D491D4E1CFE5194058D9A2AB9C2DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:44.694{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B481D635D6172ECD6FBC77CAD0F156,SHA256=73C0A99B5D765F8434694CF60A41C25C3F2A7F4F0C309CBBBAAED3B8422158FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071264Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:44.221{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE6D33E82B222F5BA933AB6A1C1378B,SHA256=F6285A7880C71511BA11B84767389DAA98133A629E2F3B5CADA05858946CFF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:45.787{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B8AF2C814BF84A0F7F04619C4173D7,SHA256=384514767C2DA68F031A9D661C9A5290A7C71D64A9264F43979D70D44B6DA5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071265Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:45.315{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACB37973EB26451561B15EC1CAE2B34,SHA256=4B187D3A5A12CA97570D327868152EE315BD27109AF05DD3C1E9321F82CC538B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:42.676{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54758-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:46.881{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF0E52C93845FCF790FA7F05C3043D5,SHA256=970DA5F5F00B2FFC645316E7EC737A75057168927C01BC5FBFE964E2EAD7DAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071267Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:46.803{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-098MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071266Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:46.410{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F592E94E07AAE331BD317EED8B3F3637,SHA256=6FACA1BB577CB4B244F21FED6525FE8265A7B4CE5ED4089B067A8A7B9088C7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:47.975{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42E12A8993D5768A154DDBC5D9E5E5A,SHA256=8487C5A24DD824DDF081B52F8B2F43010B7ECCDA15E00F234198EBF8BD7C57A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071269Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:47.817{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071268Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:47.504{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966F5AAF0EE7072FD611D26E7C67F0AC,SHA256=5A9FB0080B0E0A9F4795BD1F078265CC6B036FDD610928C118BC277595A97062,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000253141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000253140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005ed1ae) 13241300x8000000000000000253139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a45-0x41043899) 13241300x8000000000000000253138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a4d-0xa2c8a099) 13241300x8000000000000000253137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a56-0x048d0899) 13241300x8000000000000000253136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000253135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005ed1ae) 13241300x8000000000000000253134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a45-0x41043899) 13241300x8000000000000000253133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a4d-0xa2c8a099) 13241300x8000000000000000253132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:04:47.834{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a56-0x048d0899) 23542300x800000000000000071270Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:48.692{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02877384E7DDF0A5C155597295605A98,SHA256=59FFDB26770E4E03E30C4511F494A7929A635F13FFC3A2123EFE5591429B7A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071272Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:49.895{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2C418CCFB6E2A24548E3E467B13A7D,SHA256=0986D7F82B627354801D6CD2091B1C0FBFEF2417B35DB684EBDCBAC9438E99F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:49.262{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-099MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:49.071{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6F43D10353C5272021E2CD2EE326B0,SHA256=CB9588F525F3F13EF777175105D87083B7A78966892FBF98712C2CF96F5E87A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071271Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:46.749{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071273Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:50.989{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB02BBE682EBA4F9AF329A94BAE7092,SHA256=9D0FE6E6DC27D365822FC3C53C914E84137C3369E0800DA345E2618944EAD6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:50.263{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:50.153{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E51A263EC0F9D13298FE68AE7BD8E2,SHA256=BFC69DD09914CD3CF9064538256E95BC1F8F1090F6E22458A417F64817C1DD38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:48.601{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54759-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:51.264{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BBF14B6B5F42F6C451303553010D87,SHA256=DEEB3A127B6558049A6E7BDE777F08369465EE252C579A015A335E674CE74F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071274Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:52.301{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B41BAA168D0887A88F582158ACAC01C,SHA256=7D8D42C695C3C1CE3E53F4EC802E24323593B8F82A5F451BB112EF7A902C1AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:52.358{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A289FE70470E37F77D51A959C741472,SHA256=5B9B76F7D4E0984EFF5CCEFDD69A71AB15FCC6746C3D1327FC4BB520030E9C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071275Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:53.505{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AB7F6319493160E2EE0BD2B04645FE,SHA256=FD17951E80724560444F459B471FEA371492F422263ECA2594D0E2384E3F122A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:53.451{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1718DDCD9E887C8858C5C687ACDA48D,SHA256=DBE9498079BB95A7416AF9B3B0A0B74DD02F374476B22FD9685A84DBF0A74B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071277Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:54.598{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691873607F0ABE5C812122A3722A7325,SHA256=73DC49C734D8A65E9FBA3ACCCC6DB21E50E2144151500EBCAA7102828FF252BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:54.545{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8885AC6A8C53CECC552B9CF16808ED3E,SHA256=A956BD27C5897F90958FDE34232441611A7B131F3CD7D46D4518F5B897273AC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071276Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:51.906{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071278Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:55.692{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAF655F09B7D570E712CADB757FCF91,SHA256=7239FD4FC8E2A9FD2659661EDD273AC798D59068F0EF08D7C090C5B69A3EB7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:55.639{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BEF64E478EDC73107F0257022FC060,SHA256=79A523581C3D63A823A97A8844846471000524DCCDFD34970A1E325D1223FD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071279Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:56.895{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFB3E5F88D66E4E28D01E2B591A356F,SHA256=21153517AB86B25E9F3C02F350806AE4CDD4436D730A62765CBB19AE3160C193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.826{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14B8-629F-F703-000000006002}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.826{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.826{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.826{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.826{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-14B8-629F-F703-000000006002}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.826{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.826{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14B8-629F-F703-000000006002}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.827{2E1864BB-14B8-629F-F703-000000006002}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.733{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B929616AA2C36CB3811C7E4FA5B06A,SHA256=3D2A2C10854D7FADC073BA3A3E4751B51F34E45026AAD85BACDAB630D235A272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.639{2E1864BB-14B8-629F-F603-000000006002}54604568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.326{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14B8-629F-F603-000000006002}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.326{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.326{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.326{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.326{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.326{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14B8-629F-F603-000000006002}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.326{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14B8-629F-F603-000000006002}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:56.327{2E1864BB-14B8-629F-F603-000000006002}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000253153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:53.762{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071280Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:57.989{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CD2E2AFB0ED6C6D555885457A31CB4,SHA256=234B21A851E56563B383D504A1B4D30763E676B98010F4E3F49AB8925930A58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.858{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648FCCA685D7F1960027C50A52F5835B,SHA256=7171DAB8FE3F1E9B3B19DCE82FFF4ACB99843D1B161403D5A64BBEB91DAAE7C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.842{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14B9-629F-F903-000000006002}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.842{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.842{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.842{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.842{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.842{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14B9-629F-F903-000000006002}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.842{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14B9-629F-F903-000000006002}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.843{2E1864BB-14B9-629F-F903-000000006002}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.358{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E1FCB4F0759DC254192FD281860A79A,SHA256=242A13C2125EC4E1CFE9D39BE711E8FD321E0B165758C8E25373EFAF9C698F98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.342{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14B9-629F-F803-000000006002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.342{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.342{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.342{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.342{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.342{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14B9-629F-F803-000000006002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.342{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14B9-629F-F803-000000006002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.343{2E1864BB-14B9-629F-F803-000000006002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:57.076{2E1864BB-14B8-629F-F703-000000006002}60441032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.936{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D738806283DD3C9E05A5B6D2320528F,SHA256=F87BD4A08CAA607A7A3322CA073D5036CB2E9B1A4101B42BB96F416C743E2A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071281Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:58.020{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AF114EDB7DEFF7CFB6AA87409457334E,SHA256=1424A61A96F23ABC9AA0C141A473A972B6496EBABFD37DDE444BDBC9CB9D539F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.686{2E1864BB-14BA-629F-FA03-000000006002}52164316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.498{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14BA-629F-FA03-000000006002}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.498{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.498{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.498{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.498{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.498{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-14BA-629F-FA03-000000006002}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.498{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14BA-629F-FA03-000000006002}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.499{2E1864BB-14BA-629F-FA03-000000006002}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.045{2E1864BB-14B9-629F-F903-000000006002}26045240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000071283Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:57.906{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071282Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:04:59.083{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62853403853AE6F7248210B53DD5578,SHA256=DFA2A9BDCB2FE237470F03CF8721324AE64F7098A5B332D299A772AE76F6044F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.733{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14BB-629F-FC03-000000006002}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.733{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.733{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.733{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.733{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.733{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14BB-629F-FC03-000000006002}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.733{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14BB-629F-FC03-000000006002}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.734{2E1864BB-14BB-629F-FC03-000000006002}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.123{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14BB-629F-FB03-000000006002}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.123{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.123{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.123{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.123{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.123{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14BB-629F-FB03-000000006002}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.123{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14BB-629F-FB03-000000006002}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:59.125{2E1864BB-14BB-629F-FB03-000000006002}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071284Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:00.177{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2189C04B71C311582DE9A63FF7FBAB27,SHA256=A0E612816EC68BBAED413ECC85040FD167836EC4112C2D0E76B3ABC7CFE89A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:00.670{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7611604BB3DE034FADB5B2F4D932A32,SHA256=C827448B5BD27FFB369540738C93E2EA7675FF9450826F37E863660751CCD1E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:04:58.778{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54761-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:00.045{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF857CA82652723B9B909FBBA6DF2D2,SHA256=A2C4BF443AC4294CFA4552CD0B82CC6AA0CEBC7BD93165D598BACCFFED361CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071285Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:01.270{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA73CB1A8FC9A3D5DEAC73E50B2BFD7,SHA256=7838280AEA501C14CB87A78FB4C88D0E25CE313CE4D94499A9686DB36DB6E3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:01.139{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2A6D86034DA5EA67DE9805A0F2DB92,SHA256=7B9B6D32B473E74491C059D0C72A7947E82B62384DFD51B6874E0BA125A7BD79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071286Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:02.473{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D330F1DC1775D36AA5ECD13186ADE412,SHA256=D7069A13ECDB370DFE958B8C9C40127CC9A50B73530243CBD20441A84904B34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:02.639{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E0676FC0773A2CC87E934FC6A22637A8,SHA256=36C10EE3754329FEE575418FEE84A66534187E737750F67832B82FA69768F80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:02.233{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665A4DF3D81BCAE00179B36719B7A52A,SHA256=8D5384A14D44DE7A5853DFD383CD2C31A9F8F41AB47A4E340FFAE856C1D108D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071287Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:03.786{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B87DA0FFCB801AAEFBC3E4241296703,SHA256=85F5617667512C766F43C0633A9B7A1186FA09D2240A5DBBDB5B4EBA00F679A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:03.326{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4B875CB87969CE711887EA7E025B7D,SHA256=5DA0557C8DE6C919B2AABEC4AD05D675EE81B33593B8531B6E9D81AF86E43E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071288Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:04.880{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75B8BB54BC9788BAE4C643DC1CF4240,SHA256=9421E8DFC73E865B13892AFC9E99FB90AADE6F1F367E570839CC87329C2B789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:04.420{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235DC63CCC8C6D52B839653595DC4433,SHA256=02516D173AA992C6F429A3D8FFA7E65F22501033A41A1406DC523EE7A3A890B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:05.514{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40BDD257D2E89B898919C1488D27D18,SHA256=692A1B75AA3371BE335EF72EEAC87077ECF7D48669D5F1F6A6D57E82CAFB7084,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071289Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:03.937{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:06.608{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9247E055B306512F8D2D28C43D23CC82,SHA256=2DA0FEF6121FB51D9C391F1B295D89FED66DE3737F3DB5FCE24E5618EDE1BFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071290Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:06.083{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9DBC90AACEBABFBE6D46E2B34D5474,SHA256=70350DC8F3F55960A5E618ED0BD275CDFCE1DE5E902452D648AF83E9940229C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:04.778{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54762-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:07.701{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58C748F77C0763694C470FDF6E0C248,SHA256=881EC1BB83AFAFF383A41F85A1E720677B1EE8B0C9E671FE5253122FCADD6957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071291Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:07.286{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69C36852A22A85DD46949274EE102FC,SHA256=0DC0956FED552F39D3BB8C35E3013F5449F00F04667BC303BB6F4B07BCFBC416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:08.795{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAF9088F156CE1B9CB88FC2E5124A28,SHA256=F732CDDAA2D91B3C6CEBD73C04B5CBE6341BF9F44999759CE37F7DFFDC25A995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071292Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:08.489{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B0B2667552DCB55B46BE0A34ECBDD7,SHA256=0F1F7D837957EF71CED56C42C532699196A019AC3FAF9950E286613F1898BF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:09.889{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02CDFBD0456056169B4BA49EC2FD703,SHA256=00783C46C4795CE4C6ADF78C5F2BD97EDDA87E5DB8EAC88FA1C724269E822AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071293Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:09.801{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C084F15F697B4991F82A544D2D24C27D,SHA256=1DA0D410C7DBC1B081BA4B2D4B761302720D9A3F2EFC9CC5F1585FC75FE9F610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071294Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:10.895{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481C1599C4F3E95EBD20C0E5FEFCA9B0,SHA256=A56DAA89A7320648D764F5FA7DFB89B307B34183C4F0B0E119246799205F1437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:10.982{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93FE05BA2796153589796D46700032E,SHA256=7C100896BF237796FC9D68FA3858255C7046FEE9F3675743270556CDC3888851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071295Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:11.989{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C7754B26AF51D1E50500DE7256D0C3,SHA256=D41753182F7164FBE8633D01191FDCFB0EAFC7360011BA6815738794D90F6D93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:10.527{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:12.076{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3910E2B1FE78CF353752AAB13C2085E8,SHA256=0C763CCB02E6BC2A7C6D47F70E2DC7DA5CF5D4C16F104DA3F41DA6B4B34007D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071297Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:13.083{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2E16031028887F11CFB602AF7CF50D,SHA256=9D0288B4BA56A358FD8600E96B06FA72BA5D7E508B53B4AF6A95233BDF90F3CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071296Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:09.765{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:13.170{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C516E5C273BA882F0CFBC2251846483,SHA256=A3864CC7F70397423069DBB8FD37438AABD87077E8371FADF53A5EFE181CB58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071299Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:14.556{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E8EF49655FEF9CD14C1C3523672AEE76,SHA256=94FE5EF909B0D20A34417F4C95740F3323DFE5664C6753AB3D59B9FA066BEFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071298Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:14.286{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9632BAF71790AD8908E20CADA21800,SHA256=FABF72BC5FF2B0EA95EEF830253D920101F7A76F5FF7296E887984FD0249C0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:14.264{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115C5C848414C36E60922CAF4051D106,SHA256=48D6184BC1F39CB4D6576F518B149014B5541C5AFA26A0E1D630965066F160C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071300Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:15.400{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13364EC8FAA9BF1C28F80BC823CD248,SHA256=FDD9321E41B98B64FBE9D1BF11D2865996843A3A82CF8FCF4359EFD5CBAF52E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:15.357{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87305954E984F61DDE46369512F7F0B,SHA256=C0379B3E99E954D17BA8B01BA9A0AC0965503CFA3FCDD5454ADB4B09E9337D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071304Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:16.712{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9ED1EF7AE066B65D0A6E5AD09135D7,SHA256=941A5D2435BE5F142666A014F3A6A20F10AB99F1D85FE3D190A5BBFDD03932EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071303Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:16.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE1-629E-1300-000000006102}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071302Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:16.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE1-629E-1300-000000006102}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071301Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:16.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE1-629E-1300-000000006102}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:16.451{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E48CDF1E9A924F96DF6F65DA686F451,SHA256=311654EBF5A01245E55B22AB2E0DE32EAF6BCC088A7B5421ADC3BCC8C2C46922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071306Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:17.916{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A657687BCC640A707720F3F3BA429B,SHA256=1C6914E7FE5ED4EAFA485C04D68AA049CAE3EC9426011E17471040DD5066559E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:15.558{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:17.545{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99250C5CB48E902027D1395C7D35386,SHA256=7371970C423F8ACD9786A04A37EB9D53E2CAA5E93710788C12F1044F30F10DC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071305Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:14.941{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:18.639{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD62D9ACE6E17B81C4A976CC696BF713,SHA256=B0CFBBA1E946E4903801D9812CCFF8E30DB51E3B14919DB21EABD3399E3EF3AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:19.732{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA29589AE0B80A42CC2090EC6C6A110,SHA256=25A65638593C0AE4152CC2E6844BDF2C2297DA020A8B27DA6EBF9FA373C85527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071307Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:19.228{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267EE8566375E53D562A1E167BD56872,SHA256=CC0B41E285A563BEB086B473285CA494FA554B7C3310CDDEEAA735627838A4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:20.826{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB04ED856830AF82A51A8BDF7DDE119,SHA256=5846561BCDECD44A6760A932897FB0792F6FA4FB759341488F2451B3891D8F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071308Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:20.322{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCE017043A0B1C88919A69E0FF93858,SHA256=2641226C04400E7A6F19EDB5D962B0C800F422336BF2C7038BC559A413F2D3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:21.920{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2967DEF8A128E52EEEF38E2071633FDE,SHA256=F6E7FCFCA60C36B13EC3E4DF4352CBB27805B9904DAC035C45EAA08DA8FAC3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071309Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:21.431{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5949ECAEFFF66B68535132171EA7D7,SHA256=F03F95D5E8597106CB35CAAFD6836871AA2924F87ED0460DB908D2C4109E29AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071310Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:22.525{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B3CC609C7138B7F30B458DFEF5C1D1,SHA256=2600A9B3377575114B80F0C1ADC2D96796014B5859FC801B3A95AEFD378484D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071312Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:23.838{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488A45FEA6613B8E03011070FFB72402,SHA256=432A26BD3342DE02F7F5BFF7F81FA1F95CB5D8A4CF03EC2AB392EE373164EEF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:20.683{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54765-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:23.014{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BBE71A81160F0687942D2C9588E4A9,SHA256=5B15C18A9B89AF5CE95D7FDC5A5E73450D2FC9E676B8FFF73932696DE2840CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071311Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:20.722{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071313Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:24.931{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6129B11C04B16CD04E090D660CCEB93,SHA256=0F4FAA118A35E8F70EAE730C23DE9091E6A7C016C7487A5FFCD786EADE646F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:24.107{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C689B77BB80D3AFF4C26B8E017DF8C8,SHA256=EF35B5A44E431499C24702CA0868191566246B2CE1B1AE56D8DBD61B43A9F36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:25.201{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66655911FCE0D4BE20A29A1A6096324,SHA256=A6EABC4D6D99C77A8AFC025D5D2676729990443E740685A3A0BB6A2CB041717B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:26.295{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3014D3194B24AAAF4FEC77280A51ED97,SHA256=48A922539FFBCC8C7A7628A26F96BA70BD032FB8654867256F2543B4A7D11E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071328Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.822{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071327Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14D6-629F-7103-000000006102}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071326Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071325Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071324Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071323Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071322Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071321Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071320Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071319Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071318Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071317Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-14D6-629F-7103-000000006102}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071316Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.525{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14D6-629F-7103-000000006102}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071315Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.526{0A5DF930-14D6-629F-7103-000000006102}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071314Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.025{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79499F20075FF92C7FB62E425FC9052D,SHA256=4C5A21BB0546CB96B2FBBB59856BF99D3A3C7674A84D5A4F4837C2B4D379E087,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071357Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14D7-629F-7303-000000006102}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071356Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071355Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071354Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071353Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071352Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071351Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071350Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071349Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071348Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071347Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-14D7-629F-7303-000000006102}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071346Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.712{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14D7-629F-7303-000000006102}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071345Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.713{0A5DF930-14D7-629F-7303-000000006102}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071344Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.650{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16C9ABF0BEE9635D414FAA70C61F3923,SHA256=30337AAD7B5FBB211565B5D1D56DD7FB1DC063692A496BFF30F3ED23905AB9F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071343Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.447{0A5DF930-14D7-629F-7203-000000006102}12722860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000071342Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.228{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95530221661A8A39F6BD4E619D98E3C,SHA256=7D2CEEBE3EC71972B27E7E466DF15F1C77FE7C848F86F7A2E879C5E41CDE3F3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071341Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14D7-629F-7203-000000006102}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071340Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071339Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071338Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071337Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071336Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071335Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071334Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071333Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071332Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071331Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-14D7-629F-7203-000000006102}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071330Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.197{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14D7-629F-7203-000000006102}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071329Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:27.198{0A5DF930-14D7-629F-7203-000000006102}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:27.389{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875F09FFAD526D29501D2947166FFAF2,SHA256=39F94DECB4B6FEECA78CB1E3A230721144A247583BB2975008EB8FCA24A20E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:28.482{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDFC0D64D4F18D3949C2310784656F1,SHA256=DC714676031C16A51262ED85A515AF8C98FF3C50C0AE98FA4ADBD6764404BBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071360Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:28.822{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9718143C3910DF2BF6D0F1D81EE4EA8C,SHA256=507A16D22751B0536B312351423BA0659F25A247404DA37DBA192D73AD3008CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071359Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.488{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000071358Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:28.306{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=240635121F1E8F694E22DFFE53A64698,SHA256=EB7A457927DC16824FFA68B0D9EC0D6E505F834AC413B0DB98DFDF9215527500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:29.576{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EA2D500382157523B1E483448D5B1D,SHA256=E9B45183DBEF46FFB2AFF8FD4C445EE6967D96B0BE8B58DE567DF362DCA874DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071390Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.869{0A5DF930-14D9-629F-7503-000000006102}27481532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000071389Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:26.738{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000071388Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14D9-629F-7503-000000006102}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071387Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071386Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071385Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071384Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-14D9-629F-7503-000000006102}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071383Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071382Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071381Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071380Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071379Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071378Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071377Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.603{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14D9-629F-7503-000000006102}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071376Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.604{0A5DF930-14D9-629F-7503-000000006102}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071375Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.369{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE06A9B6A6050F7D0BC54AA9C5262C2,SHA256=963A0577903716A8C6416E83A362DFCEA3EB073FFF21D731B009249F0F022D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071374Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.353{0A5DF930-14D9-629F-7403-000000006102}34042396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000253252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:26.714{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000071373Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14D9-629F-7403-000000006102}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071372Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-14D9-629F-7403-000000006102}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071371Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071370Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071369Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071368Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071367Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14D9-629F-7403-000000006102}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071366Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071365Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071364Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071363Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071362Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.087{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071361Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:29.088{0A5DF930-14D9-629F-7403-000000006102}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071405Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.619{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F0541475DAF6A1ED86C56B13C5E184,SHA256=B0DDB8A14647B2CF8644837C7892A1ED0BB902269445B2BA1F2CA55D34AAFB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:30.951{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8BC6343B7295A961D19036F501351FE8,SHA256=FCDF61FAE508C66545FB535CB965CEF894973467E0ABB76D0C34C12CB0572CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:30.717{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27255FF996E4486AFBE76DC0548F039C,SHA256=0E553F6C82F0A2660DEEDD6B3FAA8506A137D49CAC2B9CDD29084B882C376B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:30.670{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09ADD12DCEC24F25405EB816E3077895,SHA256=2FE5A0EF72281881D44E23F7D373CACE0A1B4BE129B802CBA3D0174DD6684C94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071404Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.337{0A5DF930-14DA-629F-7603-000000006102}2620696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071403Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14DA-629F-7603-000000006102}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071402Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071401Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071400Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071399Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071398Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071397Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071396Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071395Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071394Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071393Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-14DA-629F-7603-000000006102}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071392Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.119{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14DA-629F-7603-000000006102}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071391Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:30.120{0A5DF930-14DA-629F-7603-000000006102}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071406Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:31.791{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0099BC94F4FAD89BAB47A24A23834297,SHA256=478B6660E39232374F09FB47DEFC79A7ACDF19B40D7DE2D890DBA00D196D27DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:31.764{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C571CD3D449A88F813972F4B7637357,SHA256=3829FD05C94C39B0D706F9AC7463D7669C0BF34F64D286B6D45704335A5B0877,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:29.121{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54767-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000253257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:29.120{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54767-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000253260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:32.857{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152FF854878F8F0062DDC0B7A6D57372,SHA256=A30F95D33348730A0BE46464EE4FD5479B4D93C271B214DD690FDD001D42D7B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071419Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-14DC-629F-7703-000000006102}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071418Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071417Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071416Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071415Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071414Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071413Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071412Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071411Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071410Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071409Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-14DC-629F-7703-000000006102}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071408Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-14DC-629F-7703-000000006102}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071407Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:32.916{0A5DF930-14DC-629F-7703-000000006102}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:33.951{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DF683F0F960073BDE063B21DE593F5,SHA256=C99DE3B866F935997FAAA7B3CFE9A2EEE81F7AEB5A00BDA36B4714220323F76B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071421Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:31.941{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071420Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:33.103{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EE5D0AE86EDDC57963D5FAFBBC91C3,SHA256=FEF5757D29D8312C4712F97DF13F4CC7D68A28B8FA6C1AE43752D95490064112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071423Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:34.212{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179BDE04F8CE9D9393507E13627062FC,SHA256=820E2AFEC6DCD86DEE07599CD8252F4AFD7CAA93273336432127496DD6C30917,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:32.574{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071422Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:34.103{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF05516820453EA1E8D78E5E0489CDC2,SHA256=92E21E50C637EEAE29FB7704F1188969928681E423AD63458E39C89D5F070B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071424Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:35.418{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93540EAA0739EB4C99B8C9B7FC776928,SHA256=70E6ABBAA2D4A111CDCDFCCF3CCC0EC4A961CACD744826322231CE677C19402C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:35.045{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587685B29546797A1F12F4D8454E569F,SHA256=429CF57C431746F34C5EE5C1D30D457F20BF83AEF11CC3140A82D51BF63602BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071425Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:36.621{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EA693D384F418B93B88079A458D277,SHA256=41D6A27E0104C8BF54E725C12E183C37A153AE0A0C420222500D8240717B1F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:36.139{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A2D34DB3E030AF64AF284C56F6AAEF,SHA256=452AD8CB2815FF47AB9F0480BA31A1BD75B839486A7CBB933CEDABFCDDF2CC66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071426Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:37.731{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25DDA194BD07FBDDD89CFD367F61405,SHA256=297EBB4539617A6B76E0560D85D6A57AF282F2491F5A3CF50EC34517BE2806F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:37.232{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAC0F1810788EC326CC06A448209A28,SHA256=C485550464EEA6EB9C2C8597487DAF2F187963BDD636DFB1C1D330D9A67373CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071427Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:38.824{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276BA96B82B3E402435B834FD79B80EB,SHA256=DE1EED0F7A9B7F8710D2358B30D711D625DF85A134E16CEEFB05A24158A02EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:38.326{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2802E3E0B21B31469E6D36D1CC7AB2,SHA256=6908588AC2DB3F0B18279BE9D78019CD192BB472666898C101EE5CC13413DBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071428Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:39.918{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33B22A67AC3CB5E72E1360618898B93,SHA256=FFFF48D89C3C02C19C5748F09E9581A4FB15C9DF6AA80D4C8A3DEEF0A682DD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:39.420{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314201B27A9407609F188173958A4163,SHA256=0EA90067E41ED281DC7D70BF4661424AF177656C169C63484B3E9EB05DF1DF61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:37.730{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:40.514{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A1F97BD7E276E9EE0F59589889CD9B,SHA256=007D7D86954F901BA312A28B88DAB917AA80A3D0B16C2A6C10C798E7A71AAD8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071429Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:36.943{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:41.607{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5111D36EB397129CAEE54BE0FE1A23,SHA256=4E638B9C706C9306A95AE0349CE9A96A61645EE235CFD10EB3E9F91777580BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071430Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:41.012{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA2E6D8CF908C7F8F855CECC22B4172,SHA256=B98D5FC1C0FAF2A633F6A5248F90B3AC092A71B09B0248E0AB2E5E6C3F550635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:41.029{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:40.527{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54770-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000253279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.701{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3234F0CD5FB8CF1DE6196B456EB9A57D,SHA256=407AE88C2E95A8D684789ACBEBAC7E612065300B2AA8FF091F8BF015FBB767CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071431Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:42.106{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A628C6F0CA799FE99C184339CC435F1A,SHA256=A3E8ECF2A7B701F40E145B42E2E6E47AB23A2808D8CBE6DB17139E1D45D0430A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.076{2E1864BB-FCD7-629E-9400-000000006002}5024860C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.076{2E1864BB-FCD7-629E-9400-000000006002}5024860C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.076{2E1864BB-FCD7-629E-9400-000000006002}5024860C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.076{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.076{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.076{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:42.076{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FD04-629E-9F00-000000006002}5912C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:43.795{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE08B030BAD724023A015CE48F3E847,SHA256=3BBE0D831FAB8FCCD1B243A973D69F3AE6312598354D7BA453FC6978D3843022,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071433Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:41.943{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071432Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:43.418{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E687916046C7E9EF0DD4FB55C206C5,SHA256=FB40ECE527E03F13B9F261D580DE4A732D3959B8C04398C4105F2A0983A50673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:44.889{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811E0C6B33320F14FC9784A2B2C1D1F9,SHA256=4457F0862BD2C38ACAB3B624FAC7D8DB6CE7EF56D6759CB4C9B158CA577B4CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071434Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:44.512{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B501333E7AC899D26827403E5C2BF66F,SHA256=0B8718C5095E633DF27ED8EA5C27EF68CEF96EFF2189F454AA09205E434B6327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071435Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:45.606{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C276D3E3AA99C889DF1CCAE9E70651E6,SHA256=8443001D24547C5AC32C28B1228B8097411E5D2BE999B3C6E0C981723D6050D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:45.982{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E67A08BE60929BCE61FAE5B4F59B27D,SHA256=978DA9E32748FCC0A3E213530506819A59768DAC2654DB645D7DB4B1E89A6CA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:43.730{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54771-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071436Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:46.918{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A75AFE691BBCDE0155DDEB722C94AA,SHA256=DA6AE034960CBB8FA139C6BB9A1CD950179C172FE792CF0AE3A0BF00CE09B355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:46.967{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D53C245AE045BA9014D8F411E079DB4,SHA256=71A1CC2E04BC4F514855A038E71AAE2C3C080754FF81835D13A2819D1B3D6492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071438Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:48.344{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-099MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071437Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:48.014{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC4398A898434E42F9D9620994AC90E,SHA256=B74320019027992ACF6CA866C9E160CB9BBE47440C26FBD74EB48550094FE4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:48.061{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E551645AD8BF58FA4C634863024099,SHA256=2F9CFD997F55D20613F5941454DE42A867929D5D707FF294AB10EF091985C101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071440Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:49.349{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071439Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:49.114{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AA90BA4C23F73513F1FD71927B8A63,SHA256=4EDBD6BB1D9DE52102BE4B9F7506BF59A63AD146DF685B82B92902CDD8331A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:49.154{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D679394A05DD3F3C6CA0B70E1B2703,SHA256=5E982DFB5E61EAABEDE9ECE4DD97FFC331D9D3F6D208DBA06EC5DF5C3855AE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:48.730{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54772-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:50.783{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-100MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:50.248{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8335C2C25DF0237F0EA9C73A78BFC12,SHA256=3BE3167513552724C39647691A3614094F2CCF4920E1B7C5FFA2A794F67D4AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071442Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:50.427{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F26F5EEADB1156EF56105A2DAD2D2D,SHA256=D20A4E8CA6108528BBB1E23290EE73C911316785568325035B6B64DE4D71B10E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071441Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:47.805{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071443Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:51.521{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91534CD1D4621DF9A578A35E0B199EF,SHA256=320FEACB33ECC79371D6D33B5746275EFFD674A40AECF3702D51973F2A2FDB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.796{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD8-629E-9500-000000006002}2164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD7-629E-9400-000000006002}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.467{2E1864BB-FC99-629E-0D00-000000006002}892916C:\Windows\system32\svchost.exe{2E1864BB-FCD9-629E-9600-000000006002}4504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:51.326{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E774479596D9589F86A97D63170BBF,SHA256=AC6993558C88D2C7AA6035A79AB162A31790DAD3444F82AED70100D7C453F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071444Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:52.615{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13682D9F2206613B40857086BD7B5083,SHA256=F480DFCC7A56816A4B71951BED545666DB92ABDDB640C6862B1E42A14E897975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:52.734{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9481DC475E94F7C7A21F9D06160882,SHA256=70467B6518C5A6461FCEFE7931A23910DB7180A34C6BAC283B907D1C5D828345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071445Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:53.708{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0809307E5D7106046F4CABBDFE52F2,SHA256=86E8E55D5C0668D5288CB7269B5140CB4B878D2FC3101A881D365C60406429CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:53.859{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F10D548C0D793A0B8FDA4BCA7C2BCD,SHA256=2FA1FD8DA6311A599C9489EFA52EFA99C4410A5DE3962D7E461E450B55CD262D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071446Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:54.906{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DA7D5A1D683BECB8198215491D25D7,SHA256=E601EB1B3CFDF89E150C819B61B2BDE8227F4866C541858B01B6384E0C294A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:54.953{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3B72E06D44D7AD6C3D4ED5DE974B38,SHA256=3D702299173A5FD0E9846951B95ED0F609639CBEF30875649E5092E3AC231B0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071447Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:52.843{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071448Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:56.218{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBAEB4B46B0EFE760A5BAC938511274,SHA256=ACEAF3A33DF4968F5A69AE2B70CB73AD79F398CD35ACA1D176C193734615C0BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.828{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14F4-629F-FE03-000000006002}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.828{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.828{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.828{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.828{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.828{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14F4-629F-FE03-000000006002}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.828{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14F4-629F-FE03-000000006002}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.829{2E1864BB-14F4-629F-FE03-000000006002}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.562{2E1864BB-14F4-629F-FD03-000000006002}11163020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14F4-629F-FD03-000000006002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14F4-629F-FD03-000000006002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14F4-629F-FD03-000000006002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.328{2E1864BB-14F4-629F-FD03-000000006002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:56.046{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9356311A0CA7BC27DDE6846D05B52E,SHA256=D0A2830866A7770B6C1924127E2C7D8246CF6EFF61C32D4040F88E4FDB644983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071449Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:57.421{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6C546ADBAEAC8D43CEA642650755AD,SHA256=F3D0C6711973BB7E8F0961B6A951509F455B1AE93D917DE6719612DEDB638028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.437{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14F5-629F-FF03-000000006002}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.437{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.437{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.437{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.437{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.437{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-14F5-629F-FF03-000000006002}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.437{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14F5-629F-FF03-000000006002}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.438{2E1864BB-14F5-629F-FF03-000000006002}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.421{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD701F0C364FD1E9CC41882BC5A98D3D,SHA256=1BC98F3CC333FF3444F165AB3D599E1962D3E537DAF629708E987FAEE1A9D840,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:54.762{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54773-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:57.140{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E493EAD990CFFE57619791BB42887C2,SHA256=494DAEF23180A052BD59C21F9229EC242C621C176763C29E401B0468C34FCAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071451Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:58.749{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D798DAD6E392AB4F7805668A2259C635,SHA256=61AEF453C2FDDAE5DA014FFEE9277BF5C0662A704BDF22425D1FBC63AC44A797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.796{2E1864BB-14F6-629F-0104-000000006002}1944100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.609{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14F6-629F-0104-000000006002}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.609{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.609{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.609{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.609{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.609{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-14F6-629F-0104-000000006002}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.609{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14F6-629F-0104-000000006002}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.610{2E1864BB-14F6-629F-0104-000000006002}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.406{2E1864BB-14F6-629F-0004-000000006002}7122040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.235{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A03E535B29487F64777B4C0E8615F0A,SHA256=58BAFB24D9ADB104FC2C15111C98953AEBE3DB864EC70FC500F14C7FF66A6D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071450Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:58.578{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BDB9CBF7A9F00B33DDBDC4621AEBB7E2,SHA256=AEABCEFB5506BAFE0E05FF029F0367981F464B69D1275E23BDAC05986202DE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.109{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14F6-629F-0004-000000006002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.109{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.109{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.109{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.109{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.109{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-14F6-629F-0004-000000006002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.109{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14F6-629F-0004-000000006002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:58.110{2E1864BB-14F6-629F-0004-000000006002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071453Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:59.843{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95E08E9514837C76792523199E4A296,SHA256=DEB68C2FA832338C86ED0E6E5E8CF495896651D6AD963F59C18A8AB08385CAB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14F7-629F-0304-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-14F7-629F-0304-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14F7-629F-0304-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.953{2E1864BB-14F7-629F-0304-000000006002}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.468{2E1864BB-14F7-629F-0204-000000006002}8881588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.328{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9587DA52B320E8A6FAAC30EED1F5C50,SHA256=96B39125742293EA0E63C01E6BF8AB320283747CCD5EF06BF927DE94AB5589FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-14F7-629F-0204-000000006002}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-14F7-629F-0204-000000006002}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-14F7-629F-0204-000000006002}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:05:59.281{2E1864BB-14F7-629F-0204-000000006002}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071452Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:05:57.899{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071454Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:00.937{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADD73C30AE70A24A41B9F1FC87F1F21,SHA256=5C0F9A008431CAEB1371B166F6B6B270C11E39FA63EC45C9A4DF6C74F3C152FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:00.312{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E8AED995C2ABCB543709516A2A65EE,SHA256=0AF9F7B0CC0EA10ABA83AA3F8FC3F33D1C1C3754A2CAC27BADCEBAB86265124A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:01.406{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C70ED44276E8651E9FC1D8D3CA0431,SHA256=69AB2B442CA4847B91A5E1F71325504EEF998BA6A4388F403C1BEEE656CBCA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:01.249{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9653D88E095D8E0597C7D653AA7E5636,SHA256=2D140D45BF94271E8C03AEB14A7A240730A7E8854E445C6AE986CFFA37FE23E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:02.640{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7326CD97438E18C80152D7B6F09D0CC9,SHA256=54CC072016353B5E4E0CAFCF6BB943533FB2F808F8C575C76DF87BF623D364BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:02.500{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30459760B7D4719BCBBAD9B8BF2C6CCA,SHA256=EC4253DAA10DD39159427153DAB1497C3FCA91C016793645CAB6746F4272863D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:00.528{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54774-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071455Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:02.031{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A08FD98D6388E4D27E845DE099D3046,SHA256=772E272D4A7F652E4D098F954A4A91F885D89BDA80178A103C8AB5CBCA7CE6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:03.484{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC4A3A27C144215E52639F02B8428DB,SHA256=923530D4DAE1AF772B43D8658DC3FA91A44EE633F2DE0C78B9F6A10770DC5030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071456Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:03.343{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3976CFC969785231605157F09268AC,SHA256=939F87E376D5E3A228D46E0677DFE7D9F91806DD840DCD92830B6734B3061F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:04.578{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8422C69F176646CBB6D9CCBC9005B8D2,SHA256=DB904E2C6F2B2D90DABD0080D7FFE3F4B94FFF42FBE67DA9E1E110DF1225FC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071457Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:04.437{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B8A8AE1BEC16E78426815440519123,SHA256=8C742010EFA2E8C4096F7CC5B59324C3AC63BE88DAC29691A30203C8577247FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071459Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:05.531{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1665C75A256B4C7369A9C191CC92459,SHA256=CFF3845FA0E2FEDF9357983DDCBF08160F6856E14DF8C9316529C257FF5F6C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:05.671{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41183236D131D256317F7D5299491DDF,SHA256=F8A0C1F06C2B8E6156140760EDFE9FE9E7020F77D9A2DA84F85177D2747AEB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071458Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:03.930{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:06.765{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF732FD5D92D6B46CD18D949A3B2105,SHA256=6B2A5B458F95A5C8271E2002F2E8F2778E63B559A1072A6BF31DAD55B8243CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071460Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:06.734{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24022FEB46C6DF189EB90C3084A191CD,SHA256=0863AD1AC594B88E75A144C0703F1E1C1056A184929AB800ABE7B5F84E589573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:07.968{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B870A20457616AD3255D27D99DF011C5,SHA256=47ACBA698FF97265493A2C3F77BD32D685ACF9BC62A108E7346220413473A003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071461Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:07.828{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7756BCD26FBCA93CA508E1473462B92C,SHA256=2BCF95E78F8740BAB3DC873FC88C8047E2AD1616147D2BECA0158E4E1CFD4CD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:05.559{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54775-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071462Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:09.031{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742A39109B930153C79EC3191B93BA2D,SHA256=AA204B34F478F43E9B08254EBD214BE7AC55D5AA9DA8AB47945493E6752EE7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:09.062{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE34A960AAA34ABA3E870659B2AD09C,SHA256=FC668BB5AF1C27DED64BD0F99757C096922AD9A3E4E5ECCFEB8C47CA7354C628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071463Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:10.124{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447CA0470ABB25C6970C78D1EBA4635A,SHA256=9450B8E0D7293CC76E28A624961F7FB39787871E5535CE2B3ABCFF993770EC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:10.828{2E1864BB-FD04-629E-9F00-000000006002}5912ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=203FA7196BF25CA039C7731196DF2B9E,SHA256=C266F32538791A83433DBD2FB2F4B1A8CEA1CC25E12038E29C9D92B11326A018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:10.156{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA94A6C57DBEDF24F782F81DCEAB18FB,SHA256=5C1DE8F222D923F7BA08BE95FE5BBC21A3D9EF36F0191060804DF38A4770B5D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071465Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:09.711{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071464Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:11.218{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D1CAD3BCEFD2F05B98AFD2D3EB715D,SHA256=D246281AA6595E8280489F913579650112528D82B5118F054038625AC256C7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:11.249{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC3181E255315FD91CE42C559785357,SHA256=FDADA412BBFC7EB9E2773BA682DF9AABAEB507E8EA122C4ABAEF0E67B14EEE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071466Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:12.312{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476CBE4B5B6C14309700BEC1253BC4D1,SHA256=B5522F9DDE78866449FA11D13CE94A6344960396A5A30E0A9A707CA0DAD1C28B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:10.637{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54776-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:12.343{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9898EAA222A28482182DECAEBEC5F89C,SHA256=2836C64BD99B1F360F365CCDF5C6DED002779826D193DC0AB7425C4729D897C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071467Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:13.515{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BDE1D3B7D2630CC3EEFD9407D106A7,SHA256=281B21D144D76E0B8A9BE61E8AB4E84371B40FE325087E2C2972D26F12EB242A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:13.437{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E10F32B257857886166C8B5FD1457E,SHA256=ADB3A396577B158977E1DB720E9940381F3399FD642FE592A5D86E030D2CCEAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071469Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:14.608{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A262C4E217EAF59BC36B9E02C91D487,SHA256=B580AD5AFBC375931765D80FEDE4F600B3C945CD7119DBE298922DDA295F4F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071468Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:14.561{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BF14AB1F2F53D959DA6D913B30C958EA,SHA256=E84F31B377BBFFE7F0F01965D23F20D15DBE695E9EBE86690BB10635FC6E8A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.531{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E95474159EF15EA3F735DE04284C4F2,SHA256=BC57821470EA5941E9E24517694D8A0FD06344E3B79E6B7905F3072B3E1164FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.374{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.374{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.374{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.359{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.359{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.359{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:14.359{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000071470Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:15.701{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F3354BA360AF5BD0B1C93D6C9DD39B,SHA256=062DBD36D4E07D2AD377F5F0860C6260D9DA8D0EFF00C14BC197ED456C96767A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:15.624{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599534AC137AECC9A3AAAE2B10F22DB8,SHA256=C80972C6E6C3F8B5476A83BF9BFCCD015334ADC1F491F0D4B5BBA94B86D08600,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071472Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:14.804{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071471Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:16.795{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2295C3932FB7C25161A1416F89432121,SHA256=B7A8D890BE2DBC4573DF4B602B9B2B4CDD6DAD1ECE7DB6828C76DF939DF5EEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:16.718{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBF407C0EFD1F8B1E82204F9DC1C6F0,SHA256=0E8841C69F895318BE0FD5DC4FB81DD7E58CB9E930CDBDDCC9F6BB49582D8A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071473Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:17.889{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571381FE80012E9C1D5DFF7634F759CE,SHA256=597095FF04FF2802A7EAEEC4B6178A674B92C0B65F629E51E680EF4184CB3ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:17.812{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7069D40E1B064A678636F81258571871,SHA256=FF39EC3E31EA088AFC7AA61D3DA2AD2DEE5BAED307990CB532BDBA49A25FD1EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:15.668{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54777-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071474Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:18.983{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC0377F1A463C9F17823144815CE2B3,SHA256=74D9EE6C900982E8880338F7F0DD47698722EE655BED1DD23AAAFCB2D315BC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:18.906{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4E323A8AE37CA6D8F3772E9C85EDD9,SHA256=3465296FD2853762E9EF3DDDAB70D09EE6E2F2DC9AE7FFB64BC2DF757910558E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071475Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:20.295{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4588907C9E8ADA70E7951D13197B5A1C,SHA256=52A1D48DA8BBA6B383217D6622AE14AE5EAC44CFB22C52AFA6D50CB3983318A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:19.999{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63B957A4FD3665DF1E7F23565DB5733,SHA256=1C58A522343506E1CC2BCF8BFC2AE952E7FA67EE82D5412365D118D7617A91D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071476Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:21.389{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3549716A75C896EB1A2DF24ABE566EDC,SHA256=AF3A4AB44014864059AFEAD0C3C4AF96353DF7F10E8C7AF5B8B20B0680D0B334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:21.093{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB5163CE9F93FDE2DB345B1B03C5012,SHA256=8CC93D934B96B6F4D8294521FC75E881CAD9281730CB70E8E3905E310E391295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071477Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:22.483{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0C511C7570436830AFEA62D2F7434E,SHA256=521F90AB0F0E2E5ECB4A9FBF8A77A3FA4A6D91817697F3873B9305A4BC546C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:20.733{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54778-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:22.187{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25497306F941A61738C7D3354A92FFAD,SHA256=1F1AC3EA3EDC057C4D35A9A80B55004490C6D24C4BD3668AA7BBD54460098AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071479Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:23.576{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09147C999383A798A4CAD5BC31B3A26B,SHA256=04C6AACA13E64DC1BFBE0FD1E2927209C9EA08BAAD7AB024EFBCA72566D8B432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:23.281{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF7C09E84FC7FEEF180BDC790DB6039,SHA256=BD534906F4BB33374ADE4B082BF303ECA2952AC3A74FE9D0152CEE7FAF3D98B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071478Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:20.851{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071480Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:24.670{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CF36EAC52B914F48D9E707A86B2C52,SHA256=3CFFF38305B0509563B604AF684572C90B4D1683BA22BB7F3CC10C1FDEAD7B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:24.374{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB9A994F1C7B99175634D8FF9EFEA5E,SHA256=93E8AC0565C413B3F9689A2B498581A85932C0053BF6389D8C9E25D1CA98860B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071481Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:25.873{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32332B88D912DEA150BF6BD71A568060,SHA256=F5564A58127595401D80922D301A7F2643450A97CB267A65A5A6DD859A5E4303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:25.468{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA76E8C27F86B124F586A3F54153B28,SHA256=BDBFC53A2ADD3FEBF7999F017E47F1D8AA63CE883F7BF5FA5059B0D211848F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:26.562{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA6684F82D9B90760122B8D350E75E1,SHA256=117AD51D24659D7F5DD82D818E77D04A3E6CB049E89D5B3869BEEE32AD36252C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071495Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.842{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071494Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1512-629F-7803-000000006102}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071493Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071492Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071491Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071490Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071489Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071488Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071487Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071486Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071485Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071484Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-1512-629F-7803-000000006102}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071483Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1512-629F-7803-000000006102}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071482Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.530{0A5DF930-1512-629F-7803-000000006102}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:27.656{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2034BE0C436A91F01474EE7C11125484,SHA256=A4F2944AC9C35DA1F27EA0E7308B782588F0972A85C2B40D6F0DB8877F774BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071525Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1513-629F-7A03-000000006102}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071524Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071523Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071522Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071521Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071520Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071519Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071518Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071517Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071516Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071515Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCDF-629E-0500-000000006102}4083504C:\Windows\system32\csrss.exe{0A5DF930-1513-629F-7A03-000000006102}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071514Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.873{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1513-629F-7A03-000000006102}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071513Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.874{0A5DF930-1513-629F-7A03-000000006102}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071512Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.811{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6A81DB247029F727ABF5390312B0C446,SHA256=D93B4D0B9D66A14EA36EAAA8283BCD8D36DA7CCE4C80998B76AAB5F72C46A583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071511Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.608{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CEDEB20984B2BCF219E7138FF13411B,SHA256=A5CA1E644F625E18694DF0770D94294152E89D4BFB545106161863B6F602976F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071510Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.405{0A5DF930-1513-629F-7903-000000006102}16643872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071509Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1513-629F-7903-000000006102}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071508Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071507Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071506Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071505Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071504Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071503Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071502Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071501Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071500Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCDF-629E-0500-000000006102}408528C:\Windows\system32\csrss.exe{0A5DF930-1513-629F-7903-000000006102}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071499Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071498Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.201{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1513-629F-7903-000000006102}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071497Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.202{0A5DF930-1513-629F-7903-000000006102}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071496Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:27.076{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65817A1BB827C48909ED6ED8F21CCB1A,SHA256=3CC9698B47337DC23DC2D98498017D13D5A6C5015E0767E57286004644C1C7AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:28.859{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2857C50CD4271E450176ED4524584B25,SHA256=BBB1E9985EBA00923BF6830045FECAE2E1F287A5C20B5F90E2B40334ED6C9AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071528Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.780{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5732D7121628FBE632BE5FA6D785CAFA,SHA256=0CF08E0C47082FA330CEFC98271271D2E2B75FEE471CEA068A27676B458B004B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071527Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:26.507{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000071526Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:25.882{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000071557Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.842{0A5DF930-1515-629F-7C03-000000006102}29721296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071556Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1515-629F-7C03-000000006102}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071555Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071554Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071553Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071552Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071551Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071550Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071549Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071548Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071547Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071546Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1515-629F-7C03-000000006102}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071545Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.639{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1515-629F-7C03-000000006102}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071544Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.641{0A5DF930-1515-629F-7C03-000000006102}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071543Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.592{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF231A002C77B7E18E417F3F9B34FA07,SHA256=0BC6D89185221CFB523C9E8E38239FA310BB7568CF3E338208C9DD1EFC8567F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:26.621{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54779-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000071542Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:29.170{0A5DF930-1514-629F-7B03-000000006102}40683612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071541Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1514-629F-7B03-000000006102}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071540Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071539Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071538Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071537Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071536Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071535Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071534Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071533Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071532Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCDF-629E-0500-000000006102}408424C:\Windows\system32\csrss.exe{0A5DF930-1514-629F-7B03-000000006102}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071531Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071530Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.998{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1514-629F-7B03-000000006102}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071529Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:28.999{0A5DF930-1514-629F-7B03-000000006102}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071572Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.873{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDA75ABC44CE1DB883EFA5CC202988F,SHA256=7C560EB7684F6A3B36D8947717DE5258C2940DAE02A66C790C88F5467DA311AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:30.703{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17973DBAA969277776040664725BA437,SHA256=FCC59F8C568B7E2C89D2AD2BD442590CB1A2EE6646B24F0146CBE21ED60241BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:30.546{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=261201640210F47B1D76C582490DF56C,SHA256=6F73D6459E4F58B243B627BD51C97890CECA19191378F9C484CE8DA7C27C32F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:30.062{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFAD2910CD68D9598482A7C27EC2698,SHA256=3E96E75F8F43A09B46C13C3AF80344B9B16C1CB28D96B4956E92B319D657E9D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071571Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.483{0A5DF930-1516-629F-7D03-000000006102}40602420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071570Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1516-629F-7D03-000000006102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071569Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071568Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071567Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071566Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071565Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071564Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071563Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071562Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071561Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071560Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1516-629F-7D03-000000006102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071559Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.264{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1516-629F-7D03-000000006102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071558Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:30.265{0A5DF930-1516-629F-7D03-000000006102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:31.156{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65AC98A376A0CEEE09B7CCA5B879BF0,SHA256=FF33FC5BFEB5151D66F937C9D9CD64BDC9AA1B81E7F98BCB27BE85015F63760A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:29.137{2E1864BB-FC96-629E-0B00-000000006002}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54780-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000253445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:29.137{2E1864BB-FCA7-629E-2A00-000000006002}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local54780-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000253448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:32.249{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC34AD00373A88E76EFB0A61E6A7CB4,SHA256=90803E6552D12234BCAD2923E764AFBE54BB147881C5D35E65F9C61E4F7B261A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071586Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE3-629E-2D00-000000006102}28802900C:\Windows\system32\conhost.exe{0A5DF930-1518-629F-7E03-000000006102}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071585Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071584Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071583Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071582Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071581Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071580Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071579Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071578Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071577Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE0-629E-0C00-000000006102}7201120C:\Windows\system32\svchost.exe{0A5DF930-FCE2-629E-2300-000000006102}1176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071576Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCDF-629E-0500-000000006102}4081032C:\Windows\system32\csrss.exe{0A5DF930-1518-629F-7E03-000000006102}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071575Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.936{0A5DF930-FCE2-629E-2400-000000006102}17043796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1518-629F-7E03-000000006102}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071574Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.937{0A5DF930-1518-629F-7E03-000000006102}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-FCE0-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-FCE2-629E-2400-000000006102}1704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071573Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:32.014{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D004CE640198A8F1FE6E742E5848266,SHA256=4719190CCCD16260C79E94FE5A2C0CB1DA7F16C4DCD21CF2B0034419518C8B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:33.343{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB18F0274ADB9BEF9D34346B05A9A470,SHA256=C578B7FE1270F4799F09A2A9D98CB1296C272DD5B93FECCC14B73D235B0785F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071588Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:31.882{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071587Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:33.233{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA67D6BC04E0DA61DAC6CB8C857B92D,SHA256=FE36A83B42184F654B86A3FD6AFC30FA68B751F9C830981A6C95D4375536CD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:34.453{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2946ACE1450C2AC167EAFF69A02D051,SHA256=1F341AD2B3AA618566D638A541103DBA770E7220FB9C59AD07A7189541BA1FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071590Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:34.344{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6150375202436C304D296B5C562CCE,SHA256=00E5F0B69DACF0E0300C602B333C60F00F45BEB877FDC64EBB89F337D61B8E11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:34.281{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:34.281{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:34.281{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000253450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:31.683{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54781-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071589Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:34.061{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F066E38C0B7D8BFDE3A2770AB26DCD3,SHA256=2767F9A037036BB8EEAD565BB7EBCB577A8E200E53CC2FF6514B947C155D947E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:35.546{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B329EFE0E2941B889C775468D6C7CA01,SHA256=7A1E88503DF29AB49E8F0C3712123C16AD0CCA3FE0EF39C214104EA109A49125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071591Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:35.439{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0350845AD3572F058296E9011DF6B55A,SHA256=D045FF5DBF66D748180D37F7114A7EF6E618960D18910DA7440D4A9C7423F216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071592Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:36.642{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9990FD0C80FFF5E5F2C6474C87A7E1,SHA256=5ECADE4CCEB81468E0B4DD5233AA0C0A4E02C6D043F5CCACA2E051C28AAA171B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:36.640{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B70999D58BB2868CE2A3C79779F669,SHA256=14F2F44855E95A1BD4B78DBD8150E74E565EE10C4DF3C490AFCC62E9559AFA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071593Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:37.845{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A78DB526B37BF737CC0261B3B072363,SHA256=4AEC5791844D20F83E69F383DF61B7D8E60761215C623AE3358869D7EF1EAE7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:37.906{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:37.906{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:37.906{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0E2F-629F-2403-000000006002}1292C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:37.734{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AB0E2634D138E6562529EC28017786,SHA256=67A64689F79BB7C4D80C6D018F71CDB4DFCD9A3540547D30775C98754ADEA575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:38.828{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3065C50370A1B0F0BC7A8D3FC176F4,SHA256=0FFDFD48EE848CDF9247DAB715D225CFBC10D6127592BCFE939F1F57569AC5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:39.921{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF4B9BA5C368AF1BCC1E60512A0D6A3,SHA256=083126DD8142D845433D5E74B04D7AD3ACEC055DF55D449C5C5250BD4AB550ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071595Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:37.729{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071594Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:39.048{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9D889178A7C675E9727F0DBBFD767B,SHA256=B9ACB4BE8EBA393CED5FC5C6A2FCB9113AEEBA4E5785BD13CDB0340EA44773A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:37.652{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54782-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071596Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:40.142{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB1227E4AAAEC9FBCE96F2B2B8D1CC5,SHA256=1F9DAAC19FDF45E5B1A9F586023495BA481105FD0B24599CE6B87E71166CB4DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071597Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:41.455{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4761A10BED30F9D663E23B90332A6E3,SHA256=17A9C3224D1B33872CC27824F187D9DCA8C3DF9A407F3874C597570AE5F8B650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:41.046{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:41.015{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FD03ED1190BCB37496A2355919BA03,SHA256=453D61B26850CB826DA3948EBD30E7A52A936A6BAD578A3CD170CDA526172250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071598Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:42.549{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9D854BFC61DB6BB393154F5F4AB578,SHA256=92552AE6D28FA56AAA6D824B5A0B4DFF889E4A2B046F340700046EA927E86564,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:40.543{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54783-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000253466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:42.109{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD754A8166EE288166C098D5E2C12826,SHA256=9803CFD96C737B75F2229F48063080E440DDAE591E36E677F7ABF94C064A4F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071599Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:43.642{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C3EC6B622BDB110705B268E234B9F4,SHA256=9CAF7F7711EC2B5D795457FDB4EC102315F4D2379A995F9D7362920033D49690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:43.203{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44F5DC7FC62349AB798632B6B9DD976,SHA256=7177D24CA68F883C7C09DB6DFA791EDB42ED1BD7E98E7ADD87F79777127C433F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071600Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:44.955{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D019125CAAD54AEE232D03F00D7AF8C5,SHA256=6041436D9834B3FB70DF843D5FA0B49399AFE2A73EC1CD45BEE2521B55AF8C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:44.296{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC84C19F4482F88398B3C2F755603DB8,SHA256=7F3EC6E5B69A61FEC45DE5A339942680E02ED5919FABD0B105A484667D48D353,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:43.636{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:45.390{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F69FADFE97A04D93B79CA9E25DC090E,SHA256=8537AC6C408F8C1DD502D4D9B894C86738897698AB6E41BD599E56E9C5571233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:46.484{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0F5B77F68A9884627C366D3F211313,SHA256=8B7E4E0DC3F606129994B8803A0953B385A4E9C4B8F53AB8BBC96267724ABDFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071601Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:46.049{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680BF53D9A99E40C6F86B1985AD2CB44,SHA256=928114C3FC247BA9CAEB5C289FA27A05303C44A115BE8230F3ED695CC41EA4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:47.579{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD68FD31B3330694ABB31925680021E6,SHA256=524C641BE099D709A2C0D7D5321DA5D9DB9777D8766FF4EA6376612641C5D22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071603Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:47.142{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3294733D718FE785FEE1EC483CD53A72,SHA256=8C2A2D4948F0FB8D4FA214F6B8F5781CE217CC56A7A7E2F8F6ABB137AA5E2B95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071602Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:43.775{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:48.671{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DA5611F2F28964C4CDCC8F5F8DBBAC,SHA256=DF29EED273144A3CB49AFDB7181E85170841EBCEA764E10C71778BB6F9328929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071604Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:48.345{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FD09E87855C0A51E7D2DC60058C81F,SHA256=9E00A430BDBE666DF2AC912732524ED9A91C2361520C9FE550F1E8431E1FFEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:49.984{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606EA41E14CB1730F893CAAAFA75B6A2,SHA256=F29364E6D4CF5A8E1869069ABB99ABC6F0F8AE566EED69BD99BEED14D0E99FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071606Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:49.880{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220607072316-100MD5=9111EC41FF83C628EF84330FEA05BEAD,SHA256=3F7BCDBE67AB8824DC300550CB45B7322968B387BF2CE401070A8C26F347D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071605Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:49.440{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486BD9EAE1537D6D362113FE17B70344,SHA256=681EEF0A2682D2156AF8E277982EC2CDB394065B3D2B4DFC62557B535EB8BF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071608Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:50.894{0A5DF930-FCE1-629E-2100-000000006102}2028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220607072314-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071607Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:50.659{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07A30445984AF7BAF3A5855C6C3FB82,SHA256=5E4E334910651BE8831B49BF33D442563F05F5626D0D1C3344837BBC7572C8CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:48.746{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54785-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071610Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:51.753{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904967FFC3984A1DE82D0EECF1188CDB,SHA256=4BE55B4468EFFF3A85FB790A478238308FDFB43A47EC8AFA59C8CAC7EFA22B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:51.078{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3684C3E674A498173E3FF05C09B99D54,SHA256=4BA975EECAD8D91EB057509DC8BF3F0EEE05C9200A6FA2249C642A3C3EF1FBBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071609Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:48.838{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071611Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:52.847{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793C2630B05030A16EFAB135C208AE14,SHA256=C0B34A4518DD601BF39D53794844001D5F3BB87DD6D7AD76027A840B0FFF705B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:52.316{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220607072217-101MD5=26E254714248D0D79F13F56976A5C4B7,SHA256=C15338F826599CD6AABDB3AEEABC6E7FD705959E0E9A072D05126DC09FC03A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:52.173{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0CBFA5264756826BB24820A01D8FB9,SHA256=A2CF5AF229DCE49A6D5E8ED208D4FF892EF8AA2B5FF95C1405056E9101A462EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.609{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.609{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.609{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.594{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.594{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.594{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.594{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-0DF4-629F-1403-000000006002}5568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000253481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.330{2E1864BB-FCA7-629E-2B00-000000006002}2872NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220607072215-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:53.266{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE3121061EF179AB8C46E6B3F6A7E1,SHA256=85281EE932763A5A8544B277EA45FDAB40B5AF239EAF7C5644FDF871C48F0B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:54.472{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71BCD571C31DFB4EE5ADFFFB312A7E4,SHA256=1B98BB8C9261CA36E97AA8824FA3431CF50E8B946C216C1594C6EFB5AD83458C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071612Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:54.160{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1153804CF3A1476B41FDC447269EB1,SHA256=AEF1EA80F619F6185CAD7AFD90208175AB767A93D929B1B845AF8E17FE7AD83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.675{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A563D23F34443A3A50013D0DB0776308,SHA256=CBD8CE24D3BB303AFCA5776D82DA414251E0746C3FD7CBE386961B01FB973CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071613Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:55.271{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73F76F329B2D34FD9C82F4D45830A74,SHA256=9AD78791CC11B26697E439E322494F22420BBAD7FA487E6792562E487CAFA2FB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000253511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:06:55.427{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=E2113CC4EE30FF4C65D97D41DD209E93E9A7169A19B998FF33E8DF65D39C5CFD 13241300x8000000000000000253510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:06:55.427{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000253509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local2022-06-07 09:06:55.427C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=E2113CC4EE30FF4C65D97D41DD209E93E9A7169A19B998FF33E8DF65D39C5CFD 13241300x8000000000000000253508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000253507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000253506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000253505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000253504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000253503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000253502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000253501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000253500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000253499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteValue2022-06-07 09:06:55.409{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000253498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.409{2E1864BB-FC96-629E-0B00-000000006002}628680C:\Windows\system32\lsass.exe{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.284{2E1864BB-0DF4-629F-1403-000000006002}55686068C:\Windows\system32\conhost.exe{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.284{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.284{2E1864BB-0DF4-629F-1303-000000006002}5045116C:\Windows\system32\cmd.exe{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:55.288{2E1864BB-152F-629F-0404-000000006002}3488C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{2E1864BB-0DF4-629F-1303-000000006002}504C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000253523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.769{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3873B7BE161936EC4667EEEAD2D3D38B,SHA256=C09FB25A729B01A638CBCF5433F92C81C18106D8C75512770813069418E50E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071614Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:56.365{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C9EE70D9BDA28E097B490A47E209A7,SHA256=2BD640E9F473C71EFB081790B2E1711C02D6660A039BF5098CA7D240889AB841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.519{2E1864BB-1530-629F-0504-000000006002}60603236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.331{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1530-629F-0504-000000006002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.331{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.331{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.331{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.331{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.331{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-1530-629F-0504-000000006002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.331{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1530-629F-0504-000000006002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.332{2E1864BB-1530-629F-0504-000000006002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000253513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:56.316{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3056675A2AC51127627477459E4CCD58,SHA256=431EAF7157323CE3632224CCBA0A18F25E0D5CF57AC7D7481AFB744C80BCFF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.862{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9A14A804538A90E02834A66308E9E1,SHA256=2538184DA4D6E2382A7CFDF82462FA9EFA3FED9D58E8052F37AF7443F4B9BF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071616Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:57.568{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35931BD85825D78CA30D8A38F5D46C92,SHA256=38477B72ACB4CC478250033F1DA44D6C1648A6B6B68455EF0578C381C5FB1856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.644{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.644{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.644{2E1864BB-FCD7-629E-9400-000000006002}50241344C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.644{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.644{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.644{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.644{2E1864BB-FCD7-629E-9400-000000006002}50241280C:\Windows\Explorer.EXE{2E1864BB-FE94-629E-0001-000000006002}2620C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.503{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1531-629F-0704-000000006002}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.503{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.503{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.503{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.503{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.503{2E1864BB-FC96-629E-0500-000000006002}412388C:\Windows\system32\csrss.exe{2E1864BB-1531-629F-0704-000000006002}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.503{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1531-629F-0704-000000006002}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.504{2E1864BB-1531-629F-0704-000000006002}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.300{2E1864BB-1531-629F-0604-000000006002}9446140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000253532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:54.765{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000253531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.003{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1531-629F-0604-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.003{2E1864BB-FC96-629E-0500-000000006002}412528C:\Windows\system32\csrss.exe{2E1864BB-1531-629F-0604-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.003{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1531-629F-0604-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:57.004{2E1864BB-1531-629F-0604-000000006002}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071615Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:54.826{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.972{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BD7D6D67D0CD4E80C35B24EFECB9FA,SHA256=B403383A0B9DBB9619084BB3E9E180B043AC4068D54FE49F2B1697193F67FE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071618Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:58.662{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604E96BFCF74B99F87C14F0F7174865E,SHA256=65FB162D9CE969A862C8E21375554B59FE317D74F3A27E51CBC77349336A664D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.628{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1532-629F-0904-000000006002}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.628{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.628{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.628{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.628{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.628{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-1532-629F-0904-000000006002}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.628{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1532-629F-0904-000000006002}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.629{2E1864BB-1532-629F-0904-000000006002}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.159{2E1864BB-1532-629F-0804-000000006002}58405596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.003{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1532-629F-0804-000000006002}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.003{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.003{2E1864BB-FC96-629E-0500-000000006002}412428C:\Windows\system32\csrss.exe{2E1864BB-1532-629F-0804-000000006002}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.003{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1532-629F-0804-000000006002}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:58.004{2E1864BB-1532-629F-0804-000000006002}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071617Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:58.099{0A5DF930-FCE2-629E-2400-000000006102}1704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4E5CFB18DF322CC745E6C322E5743EA0,SHA256=DB5BBE204916AF88718231C4E8D04902DC812735D00A0A117427C83796F7B1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071619Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:06:59.865{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F10E8C669466337892FF61C46CCBE80,SHA256=9ED244091A22391510D17A79D8D05E5D019C151484A2E97AF34A098FC615BBCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.800{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1533-629F-0B04-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.800{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.800{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.800{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.800{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.800{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-1533-629F-0B04-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.800{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1533-629F-0B04-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.801{2E1864BB-1533-629F-0B04-000000006002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000253576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.550{2E1864BB-1533-629F-0A04-000000006002}40044280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.300{2E1864BB-FCA8-629E-3800-000000006002}33643384C:\Windows\system32\conhost.exe{2E1864BB-1533-629F-0A04-000000006002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.300{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.300{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.300{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.300{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.300{2E1864BB-FC96-629E-0500-000000006002}412692C:\Windows\system32\csrss.exe{2E1864BB-1533-629F-0A04-000000006002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.300{2E1864BB-FCA7-629E-2C00-000000006002}28843600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1533-629F-0A04-000000006002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:06:59.301{2E1864BB-1533-629F-0A04-000000006002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-FC96-629E-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-FCA7-629E-2C00-000000006002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071620Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:00.959{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECFD9ED1607BF60194B58BAC310AE27,SHA256=2E2D71BD2264BF1B44F91580ED399CAB9943302900FB5EE6BFF7B280945B41CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.800{2E1864BB-FCA7-629E-2C00-000000006002}2884NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2957B275808C8B2C3829961B5D145DD3,SHA256=976EF6053F1C71D42BCAD4D75E280EA395313E8215C5236D64781CB9179B5943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.487{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09790161B5E8356ED383B117895D7C7,SHA256=D04C7E6D3B7D1178999D99F986D4630E997C6A49EF6D89180AB69F161EBD898B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000253673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.316{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-1504-000000006002}2096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.316{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.316{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.316{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.316{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-1504-000000006002}2096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.316{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.316{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-1504-000000006002}2096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.324{2E1864BB-1534-629F-1504-000000006002}2096C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000253665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 09:07:00.301{2E1864BB-1534-629F-1404-000000006002}2476C:\Windows\system32\reg.exeHKCR\Drive\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000253664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.301{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-1404-000000006002}2476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.284{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-1404-000000006002}2476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.284{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-1404-000000006002}2476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.284{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.293{2E1864BB-1534-629F-1404-000000006002}2476C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000253656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 09:07:00.284{2E1864BB-1534-629F-1304-000000006002}4360C:\Windows\system32\reg.exeHKCR\Directory\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000253655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.269{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-1304-000000006002}4360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.269{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.269{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.269{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.269{2E1864BB-FCD4-629E-8100-000000006002}27523628C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-1304-000000006002}4360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.269{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.269{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-1304-000000006002}4360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.277{2E1864BB-1534-629F-1304-000000006002}4360C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 12241200x8000000000000000253647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-DeleteKey2022-06-07 09:07:00.269{2E1864BB-1534-629F-1204-000000006002}4544C:\Windows\system32\reg.exeHKCR\*\shellex\ContextMenuHandlers\EPP 10341000x8000000000000000253646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.253{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-1204-000000006002}4544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.253{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.253{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.253{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.253{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.253{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-1204-000000006002}4544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.253{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-1204-000000006002}4544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.262{2E1864BB-1534-629F-1204-000000006002}4544C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:07:00.237{2E1864BB-1534-629F-1104-000000006002}5580C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger\StartDWORD (0x00000000) 10341000x8000000000000000253637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.237{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-1104-000000006002}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.222{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.222{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.222{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.222{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.222{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-1104-000000006002}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.222{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-1104-000000006002}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.235{2E1864BB-1534-629F-1104-000000006002}5580C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:07:00.206{2E1864BB-1534-629F-1004-000000006002}6064C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger\StartDWORD (0x00000000) 10341000x8000000000000000253628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.206{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-1004-000000006002}6064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.191{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.191{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.191{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.191{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-1004-000000006002}6064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.191{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.191{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-1004-000000006002}6064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.203{2E1864BB-1534-629F-1004-000000006002}6064C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000253620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.175{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-0F04-000000006002}2108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.159{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.159{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.159{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.159{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.159{2E1864BB-FCD4-629E-8100-000000006002}27523672C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-0F04-000000006002}2108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.159{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-0F04-000000006002}2108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.173{2E1864BB-1534-629F-0F04-000000006002}2108C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:07:00.159{2E1864BB-1534-629F-0E04-000000006002}4216C:\Windows\system32\reg.exeHKCR\Drive\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000253611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.144{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-0E04-000000006002}4216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.144{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.144{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.144{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.144{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.144{2E1864BB-FCD4-629E-8100-000000006002}27521252C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-0E04-000000006002}4216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.144{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-0E04-000000006002}4216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.149{2E1864BB-1534-629F-0E04-000000006002}4216C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:07:00.128{2E1864BB-1534-629F-0D04-000000006002}4340C:\Windows\system32\reg.exeHKCR\Directory\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000253602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.128{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-0D04-000000006002}4340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-0D04-000000006002}4340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-0D04-000000006002}4340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.125{2E1864BB-1534-629F-0D04-000000006002}4340C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 13241300x8000000000000000253594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-07 09:07:00.112{2E1864BB-1534-629F-0C04-000000006002}5920C:\Windows\system32\reg.exeHKCR\*\shellex\ContextMenuHandlers\EPP\(Default)(Empty) 10341000x8000000000000000253593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FE94-629E-0001-000000006002}2620364C:\Windows\system32\conhost.exe{2E1864BB-1534-629F-0C04-000000006002}5920C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FC98-629E-0C00-000000006002}8364192C:\Windows\system32\svchost.exe{2E1864BB-FCA7-629E-3000-000000006002}3056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FCD4-629E-8100-000000006002}27524456C:\Windows\system32\csrss.exe{2E1864BB-1534-629F-0C04-000000006002}5920C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000253587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-FE94-629E-FF00-000000006002}58082028C:\Windows\system32\cmd.exe{2E1864BB-1534-629F-0C04-000000006002}5920C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000253586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.112{2E1864BB-1534-629F-0C04-000000006002}5920C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCR\*\shellex\ContextMenuHandlers\EPP" /fC:\Temp\ATTACKRANGE\Administrator{2E1864BB-FCD5-629E-E75A-080000000000}0x85ae72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{2E1864BB-FE94-629E-FF00-000000006002}5808C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000253585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.097{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD01F81AFA5D1289F4D11E113F305BF4,SHA256=7B2C00C6A087AE23B99797D72A2C07F404F732408707BCEC044FFEFE85AAB570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:01.253{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2972CC5FF5E673E7A612E173CDAD7C6E,SHA256=F800A9F7C9E46AE8ADE0530695A2572BE4EE975C2CA66285C6DC9233A5891B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:02.644{2E1864BB-FC99-629E-1200-000000006002}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=40BEF817A5691EC94D3C9C2B4592F395,SHA256=93559395D58C5AA9437579C2780EC1354F5BD70AF2AE75DFC99970FEAF714E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:02.550{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF00043CAA55C395B13B3FC03F43C958,SHA256=CA7150751BBA13CAC6E6BFDC67A21DAD81FDE4F2A1360BBACC2A69C688CFD7DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071622Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:00.826{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071621Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:02.271{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45442F61E2AAF5729C5D9283BA0F7D68,SHA256=53B4BCC2CCFF4CAC8B119B7A15575C80791C031F55D71C527B732DACA34BB662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:03.644{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D034EB1D866E63E9A1F3C21DCE53D5,SHA256=B332743D8DA5C7CE534BE40CD6CA2AEB05BCB5D1A7E95BC90AFE16AC7C52D5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071623Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:03.490{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C9A4A232BD490D0934B46209E915AB,SHA256=BB1C343ED987E35CA1D4AB6DB3499F9F5D8CC6D7311EF15EB4315A7B9A746F1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:00.546{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:04.737{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8479DD2C7F58DB05AA392D5125DAB2,SHA256=E602B19F2D6FA3853F69C1B44E4EEDB3418774BD2C14C46D36E9D0DAACCE6F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071624Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:04.584{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC58ACD9C85D33C3A31C2F0E57B657A3,SHA256=51EC4E5FC0228372225474749A645F5F2CF87103A49B02CAEB54F47BF4B69C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071625Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:05.787{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28412082B2A10A9D41C3394E7519151,SHA256=50ACCD9829D45F958F0189D61845F54770832D647E56B7E9798CDA789A9E184A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:05.831{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1ABFA7B2044BAF6D47AF8162A38A8C,SHA256=086505F0D9AF6949CE3AC92EC519135D541A9A98E6886FCF4337E173E288BFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071626Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:06.990{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2D807D967F2D66D9F9079C2391DC4E,SHA256=1B87A84A6E84CA9905558F7AFE9E33268D2A1DB6B68B1B05DE2CCC3C7F41F531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:06.925{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7143AD6CB7AD10D9266FFC65F7E62B,SHA256=1C5E0767CE9B1095C7D37DA2B79FBE257F90294F6272C3F626F7077BFA4E0EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071628Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:06.779{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000071627Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:08.193{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CE8712AB147DDFE32D6543A2139FD,SHA256=E90CE967441F676558851C58E8D0DACF013504A51841E3353AE241B40C229C2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:05.749{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54788-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:08.019{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39E036AC434386D5B2FC4DEE4B8D2C6,SHA256=F8C5D3FA69E49F5462ADE2E5B2699D71BCF961DBB38E93505F47118F3D251D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071629Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:09.396{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601D8164DFB292F065D1E1FA1D88A83C,SHA256=F6EA597D97B229B17AED8B568A3BFE4F7526ABAA54A55C459563DC0B07E46AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:09.112{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1B3DBBF0E6F2EDBF989CABE7BE3648,SHA256=E5722DB9249AC7C2B754DE2FF1471B732B1F23F8E961ECD3BCB85C1F07A848C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071630Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:10.599{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B990C964815AAB748E309B9289E180A8,SHA256=24959F6A9F8F7C4BB0050FCC9D023A2C2082FD084C8B3FECCE32181BADCB8004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:10.206{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4AC29DA990E7B8BCEB8933B461AAD3,SHA256=94D90FBF674A30734CD5DB4545C66317E1D77F3A7F4912A1B19445BC967C84F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071631Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:11.693{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08AD6B8F0A59B27C0551FCFE283F463,SHA256=53A5E4496D1C838B03DE62D83DFFB6C98F5E3B100ABD99929995BD98A2350866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:11.300{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA3DA7DBF7E7B057A92593918FBAE55,SHA256=9D8F6B8A965C466F0D2477ED43081DB4224B94207AA7EA597E7CC956D896D24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071632Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:12.787{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6711C866821ABFB658EC910FF81CF3F1,SHA256=C6F68B4D70C49AA425AFBE81D1C84C8BC94205D6240E51B2DE190FF8B428BE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:12.394{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8331BDFE93734E237B01CE39E9974AB1,SHA256=59287650C1F61B02549F3A6F1907A3216E10D6286856977D717FE25B489C2D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071633Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:13.881{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4ABF2F63022C7FEA3C354F5984CA7BB,SHA256=F88CEF3DCD60A746598144B047A541EC5CBB1B2A87E421906625D4F2DD000C3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000253691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:11.520{2E1864BB-FCB3-629E-7400-000000006002}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local54789-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000253690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:13.487{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6626FC3168539D13180C87303F2A58F0,SHA256=BDA055EF4AD9C4BBA08D1E334F42FEF22BA10D7DAADC71433C196C357CF44717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:14.581{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C408DF7CA4D04B8429A8412D86445FD,SHA256=756B79516E560472A68AE0E5E7BBABAD683AE16E820257521329B43E51113BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071634Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:14.571{0A5DF930-FCE1-629E-1100-000000006102}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C7F7BB18422BD59964C2B5ACD9B59901,SHA256=C042C07904F3A38AD6C3143CA4D63F0118ADD3405348DF27AA6E73C893151EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:15.675{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8974F7DE5CCD9DCD889C2756A0FE15D7,SHA256=D4E7552E45E9232F7EB8A0B14C296CDA0CE3BA5075247BF486D3288DB89FA1AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071646Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:12.795{0A5DF930-FCED-629E-7100-000000006102}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal50920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x800000000000000071645Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000071644Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005fdd71) 13241300x800000000000000071643Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a45-0x98ed5309) 13241300x800000000000000071642Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a4d-0xfab1bb09) 13241300x800000000000000071641Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a56-0x5c762309) 13241300x800000000000000071640Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000071639Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005fdd71) 13241300x800000000000000071638Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d87a45-0x98ed5309) 13241300x800000000000000071637Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87a4d-0xfab1bb09) 13241300x800000000000000071636Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-SetValue2022-06-07 09:07:15.212{0A5DF930-FCE0-629E-0B00-000000006102}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d87a56-0x5c762309) 23542300x800000000000000071635Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:15.087{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1B8CBB8355787CE65EB7ABD16DF4F9,SHA256=AAE121662B73BE8379ECA211A7714201002C70117583331DC0931F38E50A2C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-07 09:07:16.769{2E1864BB-FCBA-629E-7E00-000000006002}2536NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C1F4DB79CE0E44555A0569B27D1C10,SHA256=41AA0A08BB715AB6FAAD47DF86C5AE78CF7DF94509AAA0DF93ECC7AE4C772246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071647Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-07 09:07:16.290{0A5DF930-FCF4-629E-7B00-000000006102}3268NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51D06964518AC57A2C6123F1094CBED,SHA256=5C048E1D947C621AF63F2E4860E9DD217AAFB858FCCDB2951AACAF14854D4402,IMPHASH=00000000000000000000000000000000falsetrue