23542300x800000000000000017310415Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:19.791{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3936869B917F65D5DCEEF5DDD0EF275F,SHA256=4E0BB3FE12F1386ADE23538D12DB22EC8F8BCB8DBE84548D90EDCB49D47C982C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121018Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:19.469{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7722558AC7D631BE9194A5A739AFEF32,SHA256=FC849F46DD5CA0FF2B0E2E9E2D6624767E604B88A2DE68A57C05E49DF7550492,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000017310414Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000017310413Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x13bdf599) 13241300x800000000000000017310412Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7dd25-0x21de9555) 13241300x800000000000000017310411Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dd2d-0x83a2fd55) 13241300x800000000000000017310410Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dd35-0xe5676555) 13241300x800000000000000017310409Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000017310408Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x13bdf599) 13241300x800000000000000017310407Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7dd25-0x21de9555) 13241300x800000000000000017310406Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dd2d-0x83a2fd55) 13241300x800000000000000017310405Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dd35-0xe5676555) 354300x80000000000000001121017Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:37.149{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121016Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:36.966{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-49016-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121015Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:36.664{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43372-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310417Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.822{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C8AE037009128C36F84B9E488E7F00,SHA256=BE602EF73C93DDF488326F09219AB82754D1C1A1518244A66339F7CDBCCF8B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121019Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:20.486{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA77B77E82043ABA226E441068192C63,SHA256=CC34D4A8C042ADE6C6874E2CCB3E2A4C7FDD8ED6C07448C0A76C9495689075D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310416Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.769{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2843536BD7F8798FAA16BB38AEAF1B5F,SHA256=3B9E06A120533999CD185D378E30BDAEE287209E07AB78937B1AF12073205190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310418Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:21.837{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8DDFF1FD553DCDCF5BC10F02749D6B,SHA256=0B355908D66200E2D0A0819642334DC7FEAE3A6F890D2912BCBC941BA6EDD331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121021Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:21.486{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6788FF9A10AB64C0A8F34AD52196004D,SHA256=0D41C78ED3A495B505799CA9BE556E0C8813787AD7536C212EE68FF76063A5E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121020Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:39.710{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-55070-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310423Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.840{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA92965BF05517441DAC50A49ADB7A7A,SHA256=73879A06F13AA4C5D834A7492546961AE94982FC6F0117D5104F8361365E6BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121022Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:22.501{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7561BCACAFB27E9121E5A6D3B99230,SHA256=8C3825081B61FBEE100BD833BA5FF3F3D853317C06458E01BF9C7E8BE8FCCADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310422Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.809{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=1157171C0ED2D41CF1D80EED7E671A98,SHA256=9FB8C5A042A9EC835C6CD37F1F6AE414E758713C9FCA1CF7262426F4E9E7644C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310421Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.258{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211115140924-5381MD5=B1D65678BAAFB9FBC346ADDC22B9EF13,SHA256=A60E4A1EB0B1846EE4D092EA74D659E3EDD5022A58AD08DA4DCF9E97FBF70157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310420Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.140{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5073CD9F2AA4480FCB35A6D5E97978AA,SHA256=CE3705F1D1FE8EF106186EB26E511C069D31567A87BB29DAA8865EBE26105856,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310419Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:17.077{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-58522-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310426Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:23.860{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F185A89B520AF362136D09B545A83872,SHA256=61963224F52F605D16E38E6022FB4DDB9FA8652B2903DB7C4F14885DF1EB0652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121025Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:23.532{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D0627FCB1B1831947B4F426FDEA825,SHA256=EEBCEF879A47E3D01268CBE248EC2CFA84A85BC75D80C7F4CEDE7474E54546D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310425Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:23.271{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211115140922-5382MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310424Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:18.413{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-35554-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 10341000x80000000000000001121024Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:23.401{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121023Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:23.401{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-D3FB-6193-212B-000000000F02}2556C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310486Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.977{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D681A2646D3E7FF3E1324E64CA2F5387,SHA256=EECE634EF8166F3CFC4E546D54DAEB6CC436C09D5621A2D46351B0F8999C9832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310485Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.930{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310484Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310483Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310482Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310481Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310480Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310479Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310478Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310477Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310476Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310475Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.910{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310474Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.909{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310473Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.908{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=D4CAC8D363ACBEEB77FC616EFCAFA807,SHA256=1A699ABE0FE1DDA83923E04E5D7CBA096FFBBACF4A5A448829E3A9B135F177F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310472Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.906{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=7F9435AB56C542EF409A8A0F4A8A2E06,SHA256=3D6847C72C5475D9445E73B5AFF1A70127C1F9BCB62C197103BD7E1BD1181AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310471Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.905{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=6FD27B6CED089FAAB1A06A99C5693674,SHA256=C7FC6253BD08AC60D8BC5BFA4C16EB0A867C0C3625D82485CA44DA38DCA8A2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121027Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:24.569{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68ADAAC463F11E263C9678F3B809BAD,SHA256=30C087E4FE072280C339757D08D4862EF2EA73B0359C48F7D102CCBD9360D047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310470Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DA56C63FA6B997392E730EABEABBFE9E,SHA256=8B82BAA2FE38C75769709FDC669DC233F8AB17C57A56EB0CBC5BB9736D154815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310469Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=D6999CF521D06023AF9E7BC899777338,SHA256=8FF6F2785509EB44B3DCD9D77C0D5DAD06764C351B6C87971EA747D8A882AD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310468Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=D80C6F35940A3A48835EB680B4354F3E,SHA256=DFD4F558F85E03C33F991B9D2292C8CF4753FE84A7CBF124B98655EC06D50A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310467Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310466Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=355F1C82CFC562F3984F8AF46B4F2D9F,SHA256=34E27870F13F027BCA44945B3F7C6B66C88D64AB04306F33977CA72500A12B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310465Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.628{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=9476138EBDCD72B0827103BB8B87FF19,SHA256=07037B0FB60E06E20F54CAA13285355F85CC0A72042E52CD046B61C5F45A1678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310464Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.628{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CB54FCAFBF73DAFAF4B7E22338C9DD2B,SHA256=5838014C12E2EE0F6FDC6EE191399A52C6AAF95EBA947686A8BF4B79D6EDB83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310463Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.612{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310462Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.565{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310461Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.560{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310460Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.559{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310459Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310458Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310457Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310456Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310455Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310454Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310453Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310452Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310451Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310450Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310449Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310448Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310447Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310446Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310445Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310444Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310443Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310442Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310441Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310440Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.510{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310439Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.495{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CB54FCAFBF73DAFAF4B7E22338C9DD2B,SHA256=5838014C12E2EE0F6FDC6EE191399A52C6AAF95EBA947686A8BF4B79D6EDB83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310438Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.495{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310437Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.409{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=7F9435AB56C542EF409A8A0F4A8A2E06,SHA256=3D6847C72C5475D9445E73B5AFF1A70127C1F9BCB62C197103BD7E1BD1181AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310436Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.394{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310435Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.394{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=D80C6F35940A3A48835EB680B4354F3E,SHA256=DFD4F558F85E03C33F991B9D2292C8CF4753FE84A7CBF124B98655EC06D50A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310434Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.394{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310433Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.362{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DA56C63FA6B997392E730EABEABBFE9E,SHA256=8B82BAA2FE38C75769709FDC669DC233F8AB17C57A56EB0CBC5BB9736D154815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310432Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.300{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310431Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.373{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60104-false142.250.186.170fra24s08-in-f10.1e100.net443https 354300x800000000000000017310430Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.371{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50039- 354300x800000000000000017310429Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.369{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50111- 354300x800000000000000017310428Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.368{CBEA6AB7-6A01-6192-1400-000000000E02}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50111-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domain 354300x800000000000000017310427Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:19.619{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60103-false10.0.1.12-8000- 354300x80000000000000001121026Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:42.162{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310488Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.914{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E1A6E966530A764C6A0D43E0265DE1,SHA256=5B1C44235A5FBF6A932649E5E5F933D6BEC8C248A3325C0FC3568F4DA6496E09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121042Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121041Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121040Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121039Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121038Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121037Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121036Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121035Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121034Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121033Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121032Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121031Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121030Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.670{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121029Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.585{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065ED90A757B035E7E14F7BEAF680BF5,SHA256=0FD8FE16F892E9105FE1C5EFE5767EC44B814FEA05B26F4E7DE5B326F5D1BB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310487Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.445{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121028Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.532{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310489Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:26.944{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B597461897201610BCA202551575CD9,SHA256=5094F138538000722E5FCC658F689CA197AC056BD01EB7D729FC96121B56A396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121096Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121095Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121094Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121093Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121092Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121091Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121090Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121089Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121088Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.889{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121087Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.889{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121086Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.889{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121085Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.888{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121084Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.869{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121083Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.852{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DAF22911A65EB612F8282FFE323E98,SHA256=7874701D7A5747A9E3D4B111E9D0579DD49CF1A107C0CFCEB269EDCA02405B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121082Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.852{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8DEAC2681D5D9C2EA8F6D9881F867E,SHA256=04933F1D02780A97C1154FF7C9ADF12ECD9F1F3E9169676E38E7E7775E629340,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121081Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.621{068A336D-77D6-6197-82A1-000000000F02}16206704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121080Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121079Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121078Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121077Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121076Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121075Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121074Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121073Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121072Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121071Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121070Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121069Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121068Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121067Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121066Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121065Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121064Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121063Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121062Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121061Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121060Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121059Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121058Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121057Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121056Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121055Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121054Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121053Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121052Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121051Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121050Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121049Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121048Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121047Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121046Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121045Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121044Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121043Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.353{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310490Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:27.959{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA386D2813A19ACAA9A62E1A65962944,SHA256=3F343ABBD607A5B64D5BFE70E94E8F96CF9C11E622824107A14301FA3A2647C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121098Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:27.637{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2B2DA57BF58061C9BD05E5DEA8D2A0,SHA256=E8431F9527A40FDF8186CC6CC57B042DBB8555467A0F30E8EA78B39C9DA06FD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121097Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:45.280{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-34240-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310491Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:28.973{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7108FA24CE60F99CB4219C28E85B3F6,SHA256=8374A917EA85321B9F084DE3951DC4F2DA9E4BF41FFF49DFF65C648668F4B76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121100Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:28.637{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55C2DF63B5AD83D6656CFA1B6E1F906,SHA256=227D13E83059AF28853025B05B01564DF4645232D89F20489BC87A99A486420C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121099Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:47.245{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310494Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:29.988{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715AC2847F07DDE7037E5C06B5FAAE85,SHA256=DEFFE42FC89BC0DDCC664014DC1D91213346C6AE8F6CED4A368AA5B4F2000294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121130Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.955{068A336D-77D9-6197-85A1-000000000F02}35163248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121129Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121128Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121127Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121126Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121125Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121124Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121123Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121122Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121121Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121120Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121119Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121118Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121117Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.687{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121116Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.655{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6444697AC1CD450AD692FD0F037517,SHA256=BBF0AA92FB696D6292334B7858F3EE29EB96E27981A77B353232E22C3B5E4DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310493Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:29.210{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D8543A8584FFE949874B5759AEBEEF,SHA256=41B115287ED2E0EC1E1B88E7EF1E9F6FAA0016A6CED2431B6A2A817C8712F3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310492Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:29.210{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A66728EFCA290B40C6D429D1020E492,SHA256=0456C75A05CB15617064DCA7A0C95DC74B36CF6FE4AE478874CE9BF3AA75A8A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121115Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:47.428{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-38500-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121114Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.238{068A336D-77D8-6197-84A1-000000000F02}61802464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121113Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121112Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121111Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121110Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121109Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121108Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121107Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121106Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121105Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121104Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121103Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121102Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121101Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:28.986{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121144Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.824{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5081DE5B5D6DFA7A04C81A710CE067D,SHA256=5B06320321622FFD0B4DC982C6FB99A20D46C27871CC1A4C94429CDE9CD3CCFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310497Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:30.406{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D8543A8584FFE949874B5759AEBEEF,SHA256=41B115287ED2E0EC1E1B88E7EF1E9F6FAA0016A6CED2431B6A2A817C8712F3C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310496Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.657{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60105-false10.0.1.12-8000- 354300x800000000000000017310495Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.578{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-48992-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 10341000x80000000000000001121143Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121142Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121141Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121140Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121139Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121138Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121137Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121136Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121135Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121134Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121133Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121132Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.392{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121131Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.387{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121159Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.896{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4300A6E06B1274589CAF7B11F6E9401,SHA256=A3226709DCEE05017E529B688648F5356A573335367F2DDFDAF0FD2D27C8D49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310499Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:26.793{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53978-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310498Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:31.006{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAA7D84018328A7BA2CFB740C65D1F5,SHA256=83D30DE9DE0FC02933876D25AD6025712E70FDB242AC04A7F020C69A97AA3E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121158Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.343{068A336D-77DB-6197-87A1-000000000F02}41726684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121157Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121156Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121155Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121154Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121153Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121152Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121151Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121150Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121149Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121148Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121147Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121146Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.092{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121145Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.072{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121160Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:32.959{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94982754DE15D3469AF397623F53C81,SHA256=C94EE3460ACC8155E16EC928B308DBF7E0DB53CC3880A1891C15269DF62E6801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310500Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:32.024{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E453B3B4FAA332623AC3307BEF22C7,SHA256=60B0C516B00D1F6168A86091EAF1C62365C2E02BDBFFD1795C072D4CF65DCBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121161Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:33.994{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4179049B75B1070E34B9355F775CFE6,SHA256=DD33D49B1D10E46335B91C467CC63CA2C5438E254941A78283EE50A5BDDC7EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310501Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:33.039{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1B9F609EF78C9081787B6E60C1808E,SHA256=9EDB41B09DC0E7FB18635A77E5451985CF63513B191A17939DE169C7FDAE48B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310503Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:34.568{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C38D58D31CE452604298EE1E400ED7AB,SHA256=488BC0A97CD24C9D68AA2E7070295587A1E233249E6C0ACA2901E19692B087C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310502Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:34.053{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88E85AFA955FBE00CA99DEC5DA09DE9,SHA256=C6479781A0E7D01FBD68FCBD735327E6B6FF22D98ACDFE478E2EBAB841163D99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121163Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:53.205{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121162Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:35.160{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A10875F1BFF09FBF238A7FB01AD1611,SHA256=29BC721B4D79F89D71D11D4071C5F323322E12E95C6C8EB3584911904FDDAD1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310505Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:30.747{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34896-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310504Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.068{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A3F20D738443965994ACBBEB3014B6,SHA256=D355FBB309E2D38102FC9C74862A66114D10F498E46BBFF04AE193B0A88DA796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121164Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:36.175{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8186A2CDB2ED79693E3BA3CE8A38D6C,SHA256=8137C0F838B9F6E9711415B35812B950CA904FA834199AF4CAF0F4FFE1E46E5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310507Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:31.674{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60106-false10.0.1.12-8000- 23542300x800000000000000017310506Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:36.087{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D327F2CE0C310B93CAB47F20FE7BDB9,SHA256=F80B0443598EFC5DD1F892F40E3E2C15355C548579E55215C895A82CC6A2423D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121166Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:56.256{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.59-15602-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121165Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:37.195{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A935E29DCFECC1D911146E563890D11,SHA256=1C33E06486E9C77CEB39D84582C6E61DF7F2781940C9B67BC975E43F4AE5649F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310508Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:37.104{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0F98ED97D74CCFCE75FDEA03583B4A,SHA256=2CF02207A3AF9FAA4367FBE80B0120653A4CB66FA8517136AAD0A1190F23770B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121167Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:38.277{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BB4D4BDC1ADBAB22C553AAD01F886C,SHA256=7E75BF3EB56446BA3E019A63CDCBF127C83AF053C4834DDBE15EBD220508E714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310510Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:38.769{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B412406766C9585E47007176B2B8E89B,SHA256=EA71A99BE6AD8CC83272683AEDE8C5BC41E47AF64D2B5EE2264E5592C783D701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310509Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:38.138{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AD53582D62540F59ADEC8390EF17D3,SHA256=F9935BA140ED6791E357CE30AF814E27E90CAF834555FB98D7606731D4D18C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121168Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:39.295{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838E8A6CBDDCED5D18B5787CB17B7735,SHA256=D1F8120875FB4861167CA19117A06989C5FF9D4A2D0A0B2917FC90F0A36036FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310513Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.306{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60107-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000017310512Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.306{CBEA6AB7-6A11-6192-2700-000000000E02}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60107-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000017310511Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:39.153{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C43D489D6BC900EE2A13730FBDF6CE,SHA256=7351A7BBB16C2813401E4F4B261BD934030247209CD8BA6000D0498E43483DED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310515Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.647{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-45556-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310514Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:40.183{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29C5D51874953E5ED884EC2EEC24E6A,SHA256=3FE001C2886BC0F100B99D84640A1866A306C4FE64016CB6C1F53308801280C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121170Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:58.276{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121169Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:40.361{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9946E1922FE4AFBCE868AF6CAC602B7,SHA256=8ADC164F482998B6C2E64146DD6B6A833B996FF2E09DD3E5C23247752974ED22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310517Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:37.672{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60108-false10.0.1.12-8000- 23542300x800000000000000017310516Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:41.184{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EB8252429420D3A47C7E0DB78BF520,SHA256=7BE65A83DE20325E859A32BB8778147DF9C8F526F93285C6A603157D09CD91BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121173Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:41.362{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39CE1CA058819EF96388F228FD694A5,SHA256=A86AAA86E07846CBB063059C047A2CA5E53FF22CD19908C68AD3E30AE7768792,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001121172Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:41.362{068A336D-7D1C-6196-DA82-000000000F02}5628C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\SiteSecurityServiceState.txt2021-11-18 16:24:43.684 23542300x80000000000000001121171Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:41.362{068A336D-7D1C-6196-DA82-000000000F02}5628WIN-HOST-273\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\SiteSecurityServiceState.txtMD5=06F3483D3FC62C8C15725B743374EF61,SHA256=D663215C1D4F5243BC484DBBE6E74F3661E404BF668672B7A39DE875C339CABD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121175Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:00.886{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-36080-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121174Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:42.377{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D49E905233EC1DBD08286CD2011F46C,SHA256=A80D0EDB76F2981F54B307A7BA8E7F4A7E6F86F90A77E5D15420C41FCC85C33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310518Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:42.202{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC343AF32D9C5C651604421834A2601B,SHA256=200F0836EB5865C3C0A20E7A9A9867984431A35521521F0020A6C1EB9DC7CA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121176Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:43.395{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE6EE00B91A3126CD026799F53B3B8,SHA256=CF4C96749B118F992499CE4133F9847EC9B6CC3451E0DAD888A1F48C6007DEC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310529Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.720{CBEA6AB7-77E7-6197-D29E-000000000E02}68687580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310528Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310527Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310526Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310525Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310524Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310523Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310522Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310521Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.499{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310520Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.220{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E341CC1A1A66085DE7DB8F90E9F6EFC,SHA256=54931C35BE0B1997D1926A42B8752BE416554AB1879A8A0B23434594C9E06F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310519Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.220{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730662B963A50B08218C66DDC0268738,SHA256=666E6E1DDC86E696A4429F0B6635CCC921CDD61F641CB1C429129CF0D24644EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121177Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:44.532{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864160DE7D98722A2EE2E9458E8C34AB,SHA256=136F8DE284E842AD6431A190FF3A593B1EE94E266D4D8711CF4B845B023A9FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310548Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.883{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310547Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.883{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310546Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.883{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310545Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310544Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310543Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310542Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310541Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.868{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310540Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.535{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86DF31EA5A647E986E7871772108897F,SHA256=39322AF51313CB743C0E6E5DA1D96109262B2FF0B4200E41E31BD785CA3C905D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310539Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:39.533{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53744-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310538Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.235{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5B6860F5BFD438F561A4DA77F2164D,SHA256=EE921E4AE7C31323AC8B66DFD4040140B6E026D60B8E5CD65DDC00BA28E690B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310537Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.200{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310536Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.198{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310535Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.198{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310534Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310533Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310532Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310531Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310530Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.183{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001121179Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:04.193{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121178Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:45.648{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE969CBDDD062570C6A06FC186434BF8,SHA256=32DB538DE7E3246B80CB7932895F366256AAF6E06F598603C8AE5751D9AC9C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310559Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.883{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED07604E0AE4C0D40CC40325C62E398,SHA256=003D6C81664A0D33540BD0C1AF9146D0E9696FFB7E23A6E1F08AA116C990CB95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310558Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.782{CBEA6AB7-77E9-6197-D59E-000000000E02}58925524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310557Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310556Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310555Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310554Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310553Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310552Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310551Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.567{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310550Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.567{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310549Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.251{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C6D97C10EC38418D70FE7940AD7ABA,SHA256=DE44BBB1453A60A0AFBA6ED761E37981F8D22F3292F02577BE85A321ED361335,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121181Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:04.520{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.82.77.234scanner.openportstats.com29152-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121180Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:46.778{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA6FC3FBA5D1190D7DCD3CF1E521F10,SHA256=24C7D1E2B9468850D40D32688888E9720E8517EA42C219AD6161ABC84BDB618E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310576Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310575Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310574Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310573Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310572Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310571Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310570Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310569Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.934{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310568Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.298{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D6A8BBEB3259EC57BBE4DE4F6F80F7,SHA256=8911DB9962EF588CBEB92C9CF2B39949669CB919BDE4380F94F724495E20C787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310567Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310566Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310565Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310564Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310563Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310562Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310561Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310560Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.252{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121184Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:47.849{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE173B1D1161D28163DDF6BF394F30B,SHA256=5198D482CF1BA1BA992BF5A1CE0CE42072B46C5DB70A7A00D8D9FE4822344784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310593Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.851{CBEA6AB7-77EB-6197-D89E-000000000E02}56245748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000017310592Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:47.697{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\583610C9-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_583610C9-0000-0000-0000-100000000000.XML 13241300x800000000000000017310591Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:47.697{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51\Config SourceDWORD (0x00000001) 13241300x800000000000000017310590Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:47.697{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51.XML 10341000x800000000000000017310589Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310588Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310587Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310586Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310585Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310584Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310583Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310582Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.630{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310581Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.466{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310580Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:42.734{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60109-false10.0.1.12-8000- 23542300x800000000000000017310579Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.298{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E1DB9E1222CDB7C3EEDB33325E0553,SHA256=936A7F03D0E3882017E4655ECAFB41CE9FE9815E8BBEEFB2912DF840BD0A1ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121183Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:05.914{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-55552-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121182Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:05.816{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-46856-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310578Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.251{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42ABD3D4A51EEB55F0028E750200B600,SHA256=87013CEC3FD49CEF2AB0D0DA6708B913C775DCB988FB2EF3D9DA154542AA04B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310577Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.114{CBEA6AB7-77EA-6197-D79E-000000000E02}91207536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121186Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:48.879{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF525BBA2BFEDFF46880E6DF35BD2B9,SHA256=24A3AFC4815663996964010DE21A1F64ED16C6BF008A6700E75CF1C7DF744018,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121185Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:07.090{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.219-32032-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310595Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:48.513{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D820BF2DA00D08E9F640DB300FD241,SHA256=339FC51C8445F871A27EB594DEB3D82646E9F1D2E3FD7D0EA19B1A30B06E20D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310594Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:48.335{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62C208CABE66C756C0DA694A903FE16,SHA256=02CD4F9A4F627010646D8FD15D9C5D5882DBB93ACB11AC3DDFB32D833FBAAF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121187Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:49.899{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3C1FA5EB90F430B87C77EAB315E390,SHA256=B084C4F3790A5E2C9D55216EED470325952948BA417F7B94A9062FB2BC331FDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310607Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.980{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A01-6192-1500-000000000E02}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310606Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.980{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A01-6192-1500-000000000E02}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310605Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.980{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A01-6192-1500-000000000E02}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017310604Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.264{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60113-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310603Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.264{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60113-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310602Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.256{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60112-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310601Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.256{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60112-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310600Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.240{CBEA6AB7-6A01-6192-0D00-000000000E02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60111-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local135epmap 354300x800000000000000017310599Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.240{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60111-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local135epmap 354300x800000000000000017310598Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.002{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60110-false10.0.1.12-8089- 354300x800000000000000017310597Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.872{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-37444-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310596Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.365{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB8A33DDF3C5BF991E963AF2F225F5,SHA256=B81C3F5764BD2CD32E46DF62ECE81EE9D7B855B88119C09BCE0D16B3B77F4E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121188Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:50.949{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8965F5C09D5339A9940AD885FBBA1B,SHA256=5081BC7E6D5EE5605C69FC3B3A65C3DFB7B1082BDCA761C3D53D6BCD2329AD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310609Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.646{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-39184-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310608Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:50.395{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3F21080652A1D2BFB7604E07B6A05C,SHA256=D658D743458E8790523C12F601A9A85A8E6A789B507F6112829FFD8173762206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121191Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:51.980{068A336D-6CBE-6192-9900-000000000F02}3876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121190Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:51.964{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F6CC5ED135C444B7FBDD4CDB6912E6,SHA256=1E8154105C4C55BAC874333B416CAEE3ED47BEAF909BF6E04A75DCC0DF44F624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310610Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:51.410{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DAAA83B03DAB09582553EB8FBBD86F,SHA256=8FED43C6BD17EF65BD216D1E67E101E1601D727E6C65AFA9CFB46A64D51E6F6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121189Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:09.086{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34276-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121193Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:52.980{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD069E69A000404AD1FC59EA20245FF0,SHA256=240879174666379CD6B64C602225B2CB2F99F87F2083823C18AC0CE3F655BEAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310612Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:48.661{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60114-false10.0.1.12-8000- 23542300x800000000000000017310611Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:52.427{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7AD73200EEA2128935B7A864C44A64,SHA256=83998D29BE099089D6683586A0B7F893F3E9784C285311564A6D4FCF0D60A642,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121192Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:10.196{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310614Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:53.446{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9EED50FC5A593A35D3789BCB32E2E2,SHA256=2CA071A72170188BDC3BE6A032DEA51FEFDAEDBD581744CABC46376B670A3D00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121194Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:12.027{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017310613Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:53.246{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0734C8F39020C013782CC7D51A07933D,SHA256=CBAB93FE176A424CC8FBDA7D5394E5E2A62276F85E087AFA0C725E7F0B809D38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310617Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:50.502{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-49520-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017310616Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.638{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-45464-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310615Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:54.461{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2517D96709AB78AE7E3082CDF468F7B,SHA256=E886EFE5030A89B117F92260BE863F69A0353ADEDC51BAE68C2832CB6F84FD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121198Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.136{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211115141851-5373MD5=7D5F4D75B6205BAE0B0CD245353355AE,SHA256=FF29CB026251AB2F621324A386EBB740C0EEF4A7746CD7FA9FAF12CBD8E709CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121197Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.099{068A336D-7D1C-6196-DA82-000000000F02}5628WIN-HOST-273\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121196Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.097{068A336D-7D1C-6196-DA82-000000000F02}5628WIN-HOST-273\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2E070058E9056229AE7F3CF6085B9B44,SHA256=D6473135BA2E8D154C6D32353CB218529F8534C11A85630F29BC1E6699C6B738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121195Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.000{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0252A7FA2951BFDA16FD7EFFC48AF626,SHA256=E15484092A16DCAC18301436861E29B1EAF16AD716DC68360650B8DB628E2322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310619Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:55.492{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F6C991521198E2E51C54B2E287D67B,SHA256=1B0B3462B83062654E5A6821F267F52DC79889C8E70A5BC20D2AA371663A7BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121200Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:55.150{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211115141847-5374MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121199Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:55.003{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AABE65A84AB5117E9914339439CA11,SHA256=3228F28209FEF2BF0E9504E55DA18C18FFA739DE6E571C3D4D10098E41D4BB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310618Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:55.176{CBEA6AB7-6A01-6192-1100-000000000E02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EFB11262EE9F06B291E0156EA35155D1,SHA256=19F7A5867EB66A2E9E9F48AC4412ACCEACF1757EE025FCE0261B58985E613E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310620Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:56.493{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0CD4E6CCFBE8CC420184AD59BE89C6,SHA256=3744AD5243E81EA2ED10FED909A64E847B0AAC344225DF73949898AE64D30E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121202Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:15.212{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121201Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:56.064{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE470C965249697C1F5B1609FB70ADD3,SHA256=7E5DDC801F3DA81CE363358E79F4FFBB3ED706987604003EF7DDA67FDCE866E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310623Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:53.580{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-56538-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310622Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:57.494{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C74F35DEAB922280AD60C010BDAC5BD,SHA256=787016D80506C522C267CD22EBC6DA94424BB9630975841308199F71EA78AAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121203Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:57.064{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A644F9F28B2E8112A702CAF010778F,SHA256=9F395A23A5094804093C0D8B73B0CE89DAA0FDEEC5E1C78EC9C2E9D88670B73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310621Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:57.193{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEDF6FBC5C3B950DFFC5C6210AA4E8B,SHA256=EBD0221D5902D95278283DD196B663EFACC3C27755B8228E131E0DECAB87886D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310625Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:54.697{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60115-false10.0.1.12-8000- 23542300x800000000000000017310624Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:58.495{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832B502BDB9906BD902ADE53B5D9C378,SHA256=E3955C011ED59605D512319B1E346EF867F25A48F4F36B4C7D081040BFCBC78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121204Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:58.080{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351302F0DF94FF2D1D3C0FEF026DE0A7,SHA256=D09D2430BC114958DC5E1567144C33DC31D2D9336DC8040717B5839E9C9D5CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310628Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:59.630{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E916ACA7AE0C40C28219F05F83785068,SHA256=DD92ADAF04EA36CA68C9EE96BD4C31E5A2D22519D629F407C35F507EDCB395F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310627Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:56.032{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-33692-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310626Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:59.510{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044F11A03EC20690053C6E91FC77538F,SHA256=D3D3A5587F5DBDB7D55BB23B54612B91FEF47BCC635AA913AFEC63C0E1D55F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121205Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:59.119{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0BB5F560004E9E58BAAB7EAEBF1186,SHA256=7A7016D5D79CD5CE8E40C60D8A12C87AE468BE8C746008F95DA4E961BD8B8FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310629Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:00.530{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C70FFC28A2D45712CAFA16E69AEE984,SHA256=3EC592B1B526E5A89FD9AF132AD44582AB210D423146DB912E9DE10E54976E1A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001121208Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:10:00.797{068A336D-6C46-6192-1100-000000000F02}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7dd2d-0x9cff94ba) 23542300x80000000000000001121207Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:00.119{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B80FB5C285D00FAC717A58776F33441,SHA256=D74AB8C61F583047A23492709ACC968A716F12FC57E8028B93EF3C8B5FA9A2D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121206Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:18.173{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-46044-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310630Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:01.545{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197909D376AF3866B46538DD32644B29,SHA256=F7D5D0D4341A7FE2C038024FB384BB2B719FBDD67A13644A9BAD1C8250042522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121209Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:01.151{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0884A25DAC6D79FE259F39D5252EDB6F,SHA256=CB0C22AE342E4E210AA4388593AD28CD1469C136BF9C7968C63D24C5FD6DCCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310631Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:02.560{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C836DED86DD1D49BC1411B907B717D,SHA256=921B9E692ABB24D9919D86581657958718881D083B56A19D5F56A9B7054C3F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121212Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:02.151{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3EF0AE3E0C676CC3E2F3E1B1D089CA,SHA256=DB163F982B25F1683569984281C967E1B3D31A34B6DF1F458EDBB2978C9A2FD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121211Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:20.844{068A336D-6C46-6192-1100-000000000F02}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-273.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x80000000000000001121210Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:19.747{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-53690-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000017310633Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:59.711{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60116-false10.0.1.12-8000- 23542300x800000000000000017310632Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:03.591{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C45426C059E112486070242D072B86,SHA256=76F86D6C4F9736A6A42838A74B7B9A3314E8B8466A623B63D5D95B5166204A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121214Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:03.166{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9096FADA077F57FD4F6BEEF225E331DC,SHA256=23E3090A00F979ACC8FD3C5670FAF62ED2B3A4520C3CF661D20CFA8DB37E3453,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121213Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:21.164{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310634Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:04.591{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DCB4A2963F11D32EEE5AFA5893D439,SHA256=C6AFF6550C78CE2D78BF5074B583D9DF9A63E1266AEAEA3B2DE32AC6534D1043,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121216Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:21.806{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-58164-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121215Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:04.181{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67BA7BF5398CFA4FC6DE51E96381999,SHA256=7B9DA518F3C0A66D90137000F752456B1CAADF851A64E63B4B044B03EB2CB7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310635Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:05.606{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D905FCA1234F15E6C67956805F6AE813,SHA256=12C9004E5EC5637F4E8EFE4A076C9A26A2B0931C980DEE61771671D09FF9E393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121217Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:05.205{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE23C0ED8335A81006600CA7EA77FEA,SHA256=F37EA1D55F87116D5DEBC5D432A61180E79A03C5E3644D7FB2D36738465904C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310638Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.805{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D9F6B1BFA289F6FBC6B7080C1E2D54,SHA256=B241A50214FE520D6C5B9642989FFF4EC9B8D33E02A3E39106C287680046665A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310637Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.805{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B453D68F37A95F31D643253793295D0,SHA256=5C233C3E344983635F670F208D9486642CC66D5D861A8D9098AC555E4780E26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310636Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.624{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7487FF4A9DDB90C534B061BD9C0ADA36,SHA256=A41247519FD0B5F5E1774B5B4703A0DE98DB38FC047933B51DF5F44AD168A91B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121219Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.078{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.114-54036-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121218Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:06.224{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D42D478F098B32CC553E4C41506FD4,SHA256=5C096D361AAD47BBA2CD8EE090C33C349ACE10213F5001702653E5D6F5752BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310641Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:07.942{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D9F6B1BFA289F6FBC6B7080C1E2D54,SHA256=B241A50214FE520D6C5B9642989FFF4EC9B8D33E02A3E39106C287680046665A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310640Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:03.192{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-47766-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310639Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:07.658{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F7F8B27B95DB4A9FFE7F3A6CA1D66D,SHA256=D62858BBEECEEC8A0DA87F54F3164C41673F284DF60F47221120E0F4AC5A45F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121221Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.186{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121220Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:07.285{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0D632D86842B8CABAF0842119FAAE3,SHA256=3B5C26B163FCB93477BCE11EF77D601CA53A7348ADAFB736DEDBB0006CE78C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310644Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:04.756{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60117-false10.0.1.12-8000- 354300x800000000000000017310643Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:04.292{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.82.77.234scanner.openportstats.com8097-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310642Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:08.688{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F933D2B7B28665163A5F7E40FD0F2487,SHA256=8A1CBB355605F81812B85B5A35633147B46598AB30CB27CE73557A750D32A96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121222Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:08.304{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCAE213E30B2E33E007E8B8F3E5128B,SHA256=6B10C9482F85CA7CC681D6D8197DB6FB009BD042A22770122AE7C880043A54A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310647Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.225{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-54736-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310646Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:09.821{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82672450FD93E1F0951588D8B7A04F69,SHA256=93DD87BDE3BADA2B5B4D96803B2AB0AE73F927A7BEC6D099616F326169BD769F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310645Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:09.703{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFAF16D1CEDB59E146E2F2E27191D16,SHA256=C69DE4D955D772D496A22C9E4B2DA2B5FF6FE8A6726D590B4051084B500F8330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121225Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:09.801{068A336D-6C46-6192-1200-000000000F02}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=918943FF09E7F529610B86C14F482DE8,SHA256=DEE889148F9B1730DDE6EC40B47277978C71F130BE32014FFC4402399A7FBDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121224Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.402{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-42502-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121223Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:09.322{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9833B16BE53FC092BEA6F49B289F3CAB,SHA256=87714EE9CDDE5679F60CE6FD8CFCBCFA126196E133CCBB1ACE7489F8BFA25F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310648Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:10.724{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3026DE38E9B491068D3229E92813B8,SHA256=651B4BD5482B338DCA651A567443FF3C22C8F8E6FCEB5E22BA45F335E3CE3F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121226Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:10.322{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3145824A07FA0B6913BD586FC6D530F6,SHA256=4B31BBD3B2CAFC09ACFB750BFF911326E4FFB32C184E0860ECAD36E9A938555E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310649Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:11.754{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E4A71A60B7E3528B4771FB4D3BF0FA,SHA256=ABA590FFCA142CA4F175A0212A2CD526DCBAEE76BD030852CFB25449A3ABE418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121227Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:11.322{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C054CFF17A52B1E96BC7890C587E442,SHA256=6C8C8386D55C8C2A2053ABFF23C344D75009887CE9704188031114EE1A516D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310650Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:12.785{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788FE3AAB22CC0C85D92BD81E1E10CD1,SHA256=9E4F3EFBE9E427D38C404885928FB4E70EDAB115C4B652197334EBEEAF854C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121230Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.822{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-45602-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121229Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.546{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-44790-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121228Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:12.323{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE22A039B3C6A5D44792B71E68B3F517,SHA256=1A508E4F330F0DC80B032D60A34AD059477C02934A2609538F60921414BA317E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310677Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.822{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA233C461200E6514C85FA3327AFB8D,SHA256=7623EB1D1C3A378813002D684CE1EA28C7B8C3E87551520860C2B9DA0C09EA5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121233Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.285{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121232Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.245{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-54346-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121231Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:13.404{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB028531EC9E41477A11B08AEF66976,SHA256=ED8AE4AE0436965204FF5D85874C4AF09A91979856066632C697398105B748E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310676Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310675Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310674Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310673Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310672Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310671Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310670Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310669Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310668Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310667Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310666Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310665Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310664Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310663Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310662Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310661Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310660Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310659Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310658Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310657Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310656Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310655Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310654Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310653Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310652Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310651Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310678Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.853{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670D37EE30BFCB8FCFF27DD839843300,SHA256=C2AB82A967097A20BDFD353EF3A15CB1BF3B18362B4A317F101B83BEC122F0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121234Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:14.425{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DB6994ADCB8613B5FC6FBC5BF80E55,SHA256=B90207157CB1354602F1B62CC37AA88D99B183AEEE6D191D487E5EE43C7F2C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310680Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:15.854{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773659F35A37D73CD661C8F51BDBA572,SHA256=9B048F5A0FEDFE39FC48004941170C61630A9F3AEBC269E37661F716EFD62952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121235Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:15.440{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53969B346149AB5BCAF7788804C58831,SHA256=24B16624F5C2A9DD3FD1B5CF05F994FC2D00AF9440625951AC6E4F6C630C5827,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310679Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:10.668{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60118-false10.0.1.12-8000- 23542300x800000000000000017310681Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:16.869{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2242290B4F414EBE929AEF0691C7F1F5,SHA256=689933E87150B7232BCA5DBD7A9FE14AB06FA79C6D82671BEF7E69EA094881E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121236Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:16.456{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76576D1ECFB820F677E8C1A6BB2AF973,SHA256=2FAD4233D41C70797402CEA40DCAB8087C08B13C9533C3E21955288B354D3175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310683Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:17.871{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5B04077E345447EA1B324B7631640A,SHA256=FB8F41F5A2937616C7BDD3775199C1CCBFCAAC58B5DF13A3496DD6BD63B9F83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121237Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:17.471{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC6504C9EEE3E05F201D41A9B2E9919,SHA256=72FA3C1F6F4ACAFAF8D6956793D25DD52CB61A8677BA60AE71EE3C2F03AD9AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310682Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:17.116{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310710Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.882{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5569B7B28C93AEAD1AC2CA048CEF2E5,SHA256=337A1FDD007CB8EF6F57D0227D815D3186CA1F9F125E63D02AD278BEEF8F143C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121239Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:37.203{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121238Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:18.507{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD17F025D81C81A5FE3C0AC6DAC321C,SHA256=370B489FA0BE8832122FA5F45AECFF6B3F2AA1CBF8667149BEBF28A8A3BF4544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310709Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.281{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310708Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.279{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310707Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.279{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310706Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.273{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310705Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.273{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310704Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310703Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310702Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310701Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310700Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.261{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310699Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.259{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310698Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.259{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310697Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.259{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310696Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.249{CBEA6AB7-6A01-6192-1600-000000000E02}12803084C:\Windows\system32\svchost.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310695Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.249{CBEA6AB7-6A01-6192-1600-000000000E02}12801336C:\Windows\system32\svchost.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310694Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.241{CBEA6AB7-780A-6197-DA9E-000000000E02}56363612C:\Windows\system32\conhost.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310693Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.233{CBEA6AB7-6A01-6192-1400-000000000E02}11008956C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310692Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.227{CBEA6AB7-6F11-6192-D304-000000000E02}40923604C:\Windows\system32\csrss.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310691Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.218{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310690Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.218{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310689Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310688Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310687Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6F11-6192-D304-000000000E02}40926000C:\Windows\system32\csrss.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310686Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6397-6196-187E-000000000E02}18565180C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+3d473|C:\Windows\System32\SHELL32.dll+3d33b|C:\Windows\System32\SHELL32.dll+3cc57|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5 154100x800000000000000017310685Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.211{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{CBEA6AB7-6F13-6192-9E98-2F0000000000}0x2f989e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 354300x800000000000000017310684Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.723{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65390- 23542300x800000000000000017310716Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:19.889{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70608DB0F5ABD599F42A824D113357F,SHA256=56EA904342A9B8F46210E679F2B7E90E8A8F52A839FB0B2E1100687B6E892665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121240Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:19.524{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB63CB52E1E61D9DC44EEF492593DC6,SHA256=BB4F15F3BB7CEE3D05999B2B349F4E40C2DA519DA791C071670F3FB3CC2CBE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310715Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:19.264{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FB72207C416C97C879F158F799A8B24,SHA256=AE4B42D812E0631E913BC08EF7F01322FACF52E09E433A3C60A125854D145622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310714Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:19.262{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=025EC85E81CEADF382119E81BFDAB1AF,SHA256=FB74F373BB73AA1DA3C04007C17C9AB2643A835B4460EC77BC6B165BFE9F2E34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310713Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.726{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local65391-false142.250.185.68fra16s48-in-f4.1e100.net443https 354300x800000000000000017310712Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.726{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local63174- 354300x800000000000000017310711Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.725{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50962- 23542300x800000000000000017310718Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:20.894{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC0FF8319945355E1EC733C0F2C450,SHA256=2F6397E70623E668242066EEE43E162D51CBD904808D71F3F5D782A061FD9986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121241Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:20.539{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C37B38E7444A625C9B88A85E303D7A,SHA256=DB6693C93BCFF95ADA595529B3B43E8748C98C162AB96AF27DE2CC4C56104C3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310717Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:15.773{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60119-false10.0.1.12-8000- 23542300x800000000000000017310742Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.909{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726815E1DA249D46C70797481C261601,SHA256=CE7D46C06B80B2A0854667643E60444856280792277D60A6CE79338834694B2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121243Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:39.342{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-43788-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121242Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:21.555{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2B299307693C8FAF5CA44768229DDF,SHA256=83D370F0C1C59E9E2FC9E7A0CB74A3191DC2A20FF9AF669024A36A1FEAFE7849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310741Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.100{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310740Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310739Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310738Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310737Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310736Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310735Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310734Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.092{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310733Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.090{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310732Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310731Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310730Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310729Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310728Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.072{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310727Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.066{CBEA6AB7-6A01-6192-1600-000000000E02}12803084C:\Windows\system32\svchost.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310726Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.066{CBEA6AB7-6A01-6192-1600-000000000E02}12801336C:\Windows\system32\svchost.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310725Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310724Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310723Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6F11-6192-D304-000000000E02}40921012C:\Windows\system32\csrss.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310722Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310721Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310720Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-780A-6197-D99E-000000000E02}60049016C:\Windows\system32\cmd.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310719Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.026{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\System32\dxdiag.exe10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft DirectX Diagnostic ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationdxdiag.exedxdiagC:\Users\Administrator\ATTACKRANGE\Administrator{CBEA6AB7-6F13-6192-9E98-2F0000000000}0x2f989e2HighMD5=547556E6022C3F8814D5C9D59BE746C8,SHA256=D035316F6BDF5009934565079CE30EA49A540492780CA476571C904B18C8518A,IMPHASH=BF1BC5E91C7FEDD371D86092799F9519{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000017310747Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.915{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C18930101DD3950D239612298CDE308,SHA256=36856354EF18D6ED3FBE561554E21AA0B976379505ED42760E53DA69355208E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121244Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:22.555{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42E510C7A5C04A03221CD1B2A680317,SHA256=383BFD04A55A3D83D7EBDC30711C345D995C9570A7412E1A81EF4FB9410217A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310746Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.642{CBEA6AB7-6397-6196-187E-000000000E02}18567768C:\Windows\explorer.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8037A4EFD08)|UNKNOWN(FFFFB2CDE74A5B48)|UNKNOWN(FFFFB2CDE74A5CC7)|UNKNOWN(FFFFB2CDE74A0351)|UNKNOWN(FFFFB2CDE74A1D1A)|UNKNOWN(FFFFB2CDE749FFD6)|UNKNOWN(FFFFF8037A208103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000017310745Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.642{CBEA6AB7-6397-6196-187E-000000000E02}18567768C:\Windows\explorer.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8037A4EFD08)|UNKNOWN(FFFFB2CDE74A5B48)|UNKNOWN(FFFFB2CDE74A5CC7)|UNKNOWN(FFFFB2CDE74A0351)|UNKNOWN(FFFFB2CDE74A1D1A)|UNKNOWN(FFFFB2CDE749FFD6)|UNKNOWN(FFFFF8037A208103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310744Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.642{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF13beee22.TMPMD5=F73D9CF608BCA5B177FC2D88CDEE67A1,SHA256=08D601DC82FD263D9DA78FAEEB42B109F6BAE1338BE9B538143592586E744332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310743Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.031{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FB72207C416C97C879F158F799A8B24,SHA256=AE4B42D812E0631E913BC08EF7F01322FACF52E09E433A3C60A125854D145622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310749Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:23.918{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5765FA753F98E068DE37B5BA970B5D1,SHA256=4AAE80D7EBBA6E1DD038DCA320101CC6F6879D4FC3A2DECA37A886210B199DDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121247Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:42.094{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-46728-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121246Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:23.623{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121245Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:23.570{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD1883BC6D14D64F6334E1F4F282B37,SHA256=47A1784C7167DE10CBE936478EC3833DD65F13E2E42BBA2F699D79C732A77225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310748Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:23.792{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211115140924-5382MD5=B1D65678BAAFB9FBC346ADDC22B9EF13,SHA256=A60E4A1EB0B1846EE4D092EA74D659E3EDD5022A58AD08DA4DCF9E97FBF70157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121249Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:43.234{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121248Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:24.605{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95354EDA3050A3A2F4B3E796F72914C6,SHA256=5CB96AACFBC18ABDDC5A05B737C74A982CB56AFCD38F4A4E37E10496DB091D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310768Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.928{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2538C8A3CDA15BDE87F9700085955859,SHA256=44D0C1C88109446BA51FE5A8200E76BAB7D0A2AC16C17909810FDFDF56820FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310767Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.793{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211115140922-5383MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310766Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310765Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310764Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310763Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310762Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310761Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310760Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310759Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310758Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000017310757Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localT1122SetValue2021-11-19 10:10:24.676{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKCR\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\(Default)C:\Windows\system32\dxdiagn.dll 10341000x800000000000000017310756Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.666{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310755Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.666{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310754Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.666{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310753Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310752Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310751Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310750Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121264Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.924{068A336D-7811-6197-88A1-000000000F02}55202620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121263Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.701{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121262Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121261Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121260Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121259Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121258Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121257Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121256Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121255Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121254Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121253Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121252Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121251Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.671{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121250Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.623{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48F43C303F6979ABFA4B686802CDE62,SHA256=DF8C6F83934FD7975D2FC18CEA28F70F53E92AFA0A1974B62788AA3BC229DC52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310797Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310796Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310795Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F21-6197-CE9D-000000000E02}4324C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310794Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-68EE-6197-149D-000000000E02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310793Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-66F2-6197-D49C-000000000E02}4912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310792Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-66C3-6197-CC9C-000000000E02}7272C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310791Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643D-6197-7B9C-000000000E02}6860C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310790Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-799C-000000000E02}3116C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310789Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-789C-000000000E02}4060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310788Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-769C-000000000E02}6724C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310787Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643B-6197-759C-000000000E02}6696C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310786Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310785Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FD2-6196-8F81-000000000E02}7484C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310784Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FD2-6196-8E81-000000000E02}4732C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310783Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FC5-6196-8C81-000000000E02}8780C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310782Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.939{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7D11-6196-3481-000000000E02}5428C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310781Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.939{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7D11-6196-3381-000000000E02}7464C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310780Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.939{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-79D5-6196-CD80-000000000E02}9060C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310779Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.937{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7907-6196-B680-000000000E02}8912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310778Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.937{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7907-6196-B580-000000000E02}6088C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310777Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.937{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-78E0-6196-AD80-000000000E02}5108C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310776Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.935{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-78A5-6196-A280-000000000E02}2672C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310775Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.933{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38222A47FEFC3603C5D7B891A7E4AEE2,SHA256=4A876BD1DBD9759690245599E8B644D83CEC6A3097DAA33CAE768F3871844200,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310774Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.931{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310773Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.926{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310772Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.926{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310771Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.920{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-936D-6193-B527-000000000E02}6292C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310770Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.916{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F14-6192-DD04-000000000E02}4136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310769Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.915{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F14-6192-DA04-000000000E02}3932C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310814Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.959{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F34367BD8FECB7475B28CB47AE58505,SHA256=132C2AE713043FF77B256D33C259C7ABD752163FDD42F3C74DBC814585ED7D50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121277Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121276Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121275Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121274Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121273Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121272Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121271Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121270Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121269Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121268Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121267Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121266Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121265Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.357{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017310813Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310812Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310811Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310810Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310809Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310808Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310807Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310806Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.387{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310805Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310804Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310803Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310802Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017310801Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.586{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60120-false10.0.1.12-8000- 10341000x800000000000000017310800Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.035{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310799Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.033{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310798Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.033{CBEA6AB7-69FF-6192-0B00-000000000E02}624672C:\Windows\system32\lsass.exe{CBEA6AB7-6A01-6192-1600-000000000E02}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310828Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:27.972{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B120FA049B436EAFC12E3A0A9EFCF0D5,SHA256=59CE73947136629158C4A916966B1B54C18F0DDEDC7CC29914C6BF12710BEFD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121291Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.104{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDE99FBC1958F9E9065B1A32C14A36A,SHA256=E9A7C58818A2CF80D64335D8259C055A1CF71AC60587A65A2521A80EF5DEE70D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121290Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7813-6197-8AA1-000000000F02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121289Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121288Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121287Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121286Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121285Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121284Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121283Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121282Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121281Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C45-6192-0500-000000000F02}4081012C:\Windows\system32\csrss.exe{068A336D-7813-6197-8AA1-000000000F02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121280Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121279Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7813-6197-8AA1-000000000F02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121278Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.043{068A336D-7813-6197-8AA1-000000000F02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310827Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:27.904{CBEA6AB7-780D-6197-DB9E-000000000E02}8060ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\display.PNFMD5=2302F8A165FFCAF84A2ECCF4A7203B49,SHA256=AC3C15F1126B9DC3E526F163917491418436514D1829882B379B181D0FBA872E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000017310826Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.800{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\FriendlyNameDefault DirectSound Device 13241300x800000000000000017310825Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.798{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default WaveOut Device\FriendlyNameDefault WaveOut Device 13241300x800000000000000017310824Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.778{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\FriendlyNameDefault MidiOut Device 13241300x800000000000000017310823Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.770{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\49GSM 6.10\FriendlyNameGSM 6.10 13241300x800000000000000017310822Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.770{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\7CCITT u-Law\FriendlyNameCCITT u-Law 13241300x800000000000000017310821Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.770{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\6CCITT A-Law\FriendlyNameCCITT A-Law 13241300x800000000000000017310820Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.768{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\2Microsoft ADPCM\FriendlyNameMicrosoft ADPCM 13241300x800000000000000017310819Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.768{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\85MPEG Layer-3\FriendlyNameMPEG Layer-3 13241300x800000000000000017310818Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.768{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\17IMA ADPCM\FriendlyNameIMA ADPCM 13241300x800000000000000017310817Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-11-19 10:10:27.768{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKU\S-1-5-21-492600379-461247840-3315989157-500\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\1PCM\FriendlyNamePCM 23542300x800000000000000017310816Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:27.641{CBEA6AB7-780D-6197-DB9E-000000000E02}8060ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\msmouse.PNFMD5=C5D25BB712ED977D98D19CBC402C401C,SHA256=306F0D53B3FC72F5A549668A6E56E387810837D388E22942B385A002281EDF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310815Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:27.607{CBEA6AB7-780D-6197-DB9E-000000000E02}8060ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\keyboard.PNFMD5=AC0DE286508A150773EE5C5816F5983E,SHA256=5A4C8DCDAAA920CE034ABBF1E9FFB67A5A6AC758C0926C13532D276A87B2FCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310829Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:28.979{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE74D407D914CA6AA8168D24EB6C9DAF,SHA256=FD2B81E6FAA66B463D926EBEC03C8C93532711AFAB1DF8F3AE97B48C0FA9BDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121292Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:28.057{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE0D06E5F4BE85A9E2848815F68D1A8,SHA256=8353E69ECBB45788F693995F60D2900AAAC1D154D6985E6F6664033A2394C1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121321Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.972{068A336D-7815-6197-8CA1-000000000F02}36283484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121320Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7815-6197-8CA1-000000000F02}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121319Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C45-6192-0500-000000000F02}4081012C:\Windows\system32\csrss.exe{068A336D-7815-6197-8CA1-000000000F02}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121318Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121317Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121316Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121315Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121314Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121313Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121312Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121311Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121310Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121309Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.688{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7815-6197-8CA1-000000000F02}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121308Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.672{068A336D-7815-6197-8CA1-000000000F02}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001121307Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.240{068A336D-7814-6197-8BA1-000000000F02}39881908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121306Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.087{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5AC88EFF4AA0F820ED2EEF7CF75805,SHA256=638D36095B80A5C9A4407B1C4F1152EFB41B686D34A4A20AA3405349501AEA62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310836Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:29.866{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310835Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:29.866{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310834Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:29.866{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310833Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:29.856{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310832Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:29.856{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310831Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:29.856{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310830Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:29.856{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121305Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.009{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7814-6197-8BA1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121304Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.008{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121303Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.008{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121302Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.008{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121301Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121300Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121299Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121298Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121297Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121296Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.004{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121295Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.004{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-7814-6197-8BA1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121294Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:29.004{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7814-6197-8BA1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121293Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:28.989{068A336D-7814-6197-8BA1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001121338Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:49.384{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-37372-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121337Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:49.267{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001121336Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.609{068A336D-7816-6197-8DA1-000000000F02}29724976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121335Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7816-6197-8DA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121334Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121333Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121332Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121331Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121330Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121329Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121328Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121327Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121326Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121325Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-7816-6197-8DA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121324Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.372{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7816-6197-8DA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121323Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.357{068A336D-7816-6197-8DA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121322Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.107{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC0B842CCF9ACE07CAC21C5875BCCAF,SHA256=310A5A7ED9991D1D500A734A078D2269641132A86741F46DF31B7731CA26C182,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310838Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.602{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60121-false10.0.1.12-8000- 23542300x800000000000000017310837Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:30.015{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836AD0491D520EB754CFD8657B3CF276,SHA256=7240BCA075DF0D5B98B0F5E14E7CCBD129FA0E15BCD4AA71E16DA3A8899314DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121353Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:49.731{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-35686-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121352Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.172{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE4F8E9F4DDB0171677B76002021159,SHA256=F942C7E80D253FE1FF206DFEE8955E58A5B4A1A090ABA00CDBB8B07984A721D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310840Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:31.216{CBEA6AB7-69FF-6192-0B00-000000000E02}624672C:\Windows\system32\lsass.exe{CBEA6AB7-69FD-6192-0100-000000000E02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000017310839Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:31.024{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABED928E7A51D2B414EB8E7313C45169,SHA256=F6D18BF3AC434D342BEE58CE155682B69AB0C0474ED9CD1D11D913F78B9A621C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121351Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7817-6197-8EA1-000000000F02}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121350Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121349Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121348Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121347Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121346Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121345Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121344Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121343Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121342Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121341Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-7817-6197-8EA1-000000000F02}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121340Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.056{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7817-6197-8EA1-000000000F02}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121339Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.041{068A336D-7817-6197-8EA1-000000000F02}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121354Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:32.186{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCCDF278F685DE525E4B6F36A1E2DD0,SHA256=657E75741317E9BD7051CDB7930155268D36A8C0A690BC492853D44144216FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310843Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:32.225{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E366254653CBED552936CD4BF539B195,SHA256=C38769EF0F94CF20D5FED9D39789A6562769EEAE3B6C2A00F306E134E1F27FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310842Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:32.223{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38550521E16F887620F8846AC9877923,SHA256=55CC8CDE487D712CBD3AAA7E62D1AE0627E59A7266784E10A3B3A8498DCC5259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310841Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:32.033{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CC8D742E6F34DA4D602DB0C809A73B,SHA256=D7A10F31C297C2D88221C855E288E87FF2829584D19E44E75E72B882798BBF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121355Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:33.217{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8432C30936FBE9DE0BDE3926F5818D8,SHA256=95DA377B53DD97798C6D427A244D8230CE107B35E0A92AE28CC655EFC2B33198,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310846Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:28.766{CBEA6AB7-69FD-6192-0100-000000000E02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60122-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x800000000000000017310845Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:28.766{CBEA6AB7-69FD-6192-0100-000000000E02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60122-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 23542300x800000000000000017310844Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:33.036{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C37634BCC796C1B5F5983A4C6F4634,SHA256=A9E777985B063AEB573DE5707D536B0CB02D1662D3B21719EF9F128FD05B01C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121356Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:34.233{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4B6848A4E5DF2F8B2A3CE74410ACBD,SHA256=2F0B6BA3AD2E96A143D8CB4ED481F08CBE9387C28981B5E04F60B980CBDAD8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310848Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:34.392{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E366254653CBED552936CD4BF539B195,SHA256=C38769EF0F94CF20D5FED9D39789A6562769EEAE3B6C2A00F306E134E1F27FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310847Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:34.044{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1B091EC6958DD6B4DD156A1CF04AAD,SHA256=F1BABDC92670F625D4BD0004FB6DB75CF3C01938E913D25B006B4C0C9C462E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121357Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:35.234{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB4BCEB7BC9871D4BB1125D5DD785FF,SHA256=06A13C8E66AB9613D35BDCDA8BD9835C480A07FED67D9AFCDB9F0D2A591E8514,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310850Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:30.791{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53896-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310849Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:35.051{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D676CDBDD62BF122DEC27081984F1C5D,SHA256=6A0B334BF048DFF8EE1FB432C54CD02674BBD78884C8DEBE166CC28963FAAF42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310852Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:32.594{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60123-false10.0.1.12-8000- 23542300x800000000000000017310851Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:36.055{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870C61F7A76053A58D5E2A7113097552,SHA256=8B6C3A5DE3E9B21D32C8D972601902271C1D78337A37B573BA2CFBAA2876869E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121358Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:36.253{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A81326162170AF447C2702FE981EEB,SHA256=F05ACA82C74B24FAD6130701CABE3EFAA7380AF95D19FAF1D754BF38D90861DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310853Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:37.062{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3BBBA7DDA63A48534423AE4B53FD98,SHA256=23C60C279AF2819C8BBCF6FF333D0D4564D6CB84194EFDB0928B7A499D9B3494,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121361Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:56.443{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-50580-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121360Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:55.198{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121359Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:37.271{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72CCA68D9095F67C1C587D37FC4F8BD,SHA256=17FFDCB2F1B5080026ECFBDA555CD9B0E18B5B09BB5C460FE6F7D7627A7FA4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121362Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:38.272{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DF195C69E47EB3BB53B9D9EFD74ACF,SHA256=4C359670E3F3A9A1F965B12149986B82C9243D29D3C25981B51E4AEAA4B43878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310855Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:38.770{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39C503D049DD768B2F55DD79F3E40994,SHA256=63936B3A98E190FB2D9767680860FCF1F4F859FF1E5A29F862D7049C48034A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310854Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:38.065{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD1794CBA6E3DC6BDF9C5FC1CDC39AD,SHA256=CD4210210CCF0B2DA98BBE3AA25C479D489097BDCF529D6F4C950CD5101554C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121364Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:58.555{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-49804-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121363Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:39.277{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A7F10A2B5048396BD728070A593808,SHA256=7F0D1EFDB8C96803F461ED17EBAA15C8087C1132D6C25811459BC09E009CDA05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310859Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:39.889{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9881177FBFE35BD3B5B214C540667109,SHA256=1BE23C5689227C6990F63F0C14DFE9351DB9A03027EE7984DD0661598818767C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310858Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:35.308{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60124-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000017310857Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:35.308{CBEA6AB7-6A11-6192-2700-000000000E02}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60124-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000017310856Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:39.074{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72662449DD8CADB17D37140CA40BE96,SHA256=ED80B3E7CC1114D9F9064650B25254D8437B5BBDB79B9FF61AE418E87A99D545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121368Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:40.777{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1500-000000000F02}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121367Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:40.777{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1500-000000000F02}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121366Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:40.777{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1500-000000000F02}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121365Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:40.277{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6091073AAA052B42093DCB5D8B72A48,SHA256=05BE32A52DFE5EB1839C9F70DFFD3E9E213EB2761EC24E9F542F6B34E97EA3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310863Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:40.909{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E04766E4D1C255FF5A5A9C806C8DF81,SHA256=706AF3D1EEE5FEA916CE7F58E14105ACEFA45E1F50E468717442386912F31603,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310862Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:36.208{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-37386-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017310861Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:36.037{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-35504-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310860Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:40.082{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BEF8F487910AFBD7ABC9FC3FF7B9118,SHA256=30D7C026567879C392811CB6BA0ADFD2B732F82CFCA7AE3BA0028AD1735B2DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121369Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:41.277{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3119C4646A4183D0268C9532723830D,SHA256=C5F6CCAF6E8CDBD749660C01F60991A61930B59B1D972F2873B6020DDEFCA1B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310866Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:37.414{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-39050-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017310865Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:37.052{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-37920-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310864Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:41.087{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDB0AD00ED9B91DD71EC833984D85E6,SHA256=92D21587FE5F16A47E5A664248474C003F73A9075453EC5D58845CABDD113122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121371Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:42.278{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE185D3F536224550E3AEF24065353E5,SHA256=406EFACF384760D3CA92CBA2FB3E2019E838BC993A3E3DC6462F38B9DB5A5C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310869Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:42.915{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F2599D5593143607774CCDAF34DE81,SHA256=0309B40B6B393BBBD5B0E0BC0DD871F1E2797CD84D6D81ACD1B90F066AD04A98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310868Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:37.746{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60125-false10.0.1.12-8000- 23542300x800000000000000017310867Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:42.095{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11894ECB6EB0D44F1F83EF1753562D6E,SHA256=D7A247CAD53C419F4DF9952795B71453D2AD75E699A36BC821542580B13B2ED9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121370Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:00.241{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121372Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:43.325{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BD43AABB1C7255A44ADB2C60E3C119,SHA256=6C982A4770156BDFDBFD7A2141EB7FE1956285CE410877B1D04AD836D56A53A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310878Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.521{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7823-6197-DC9E-000000000E02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310877Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.519{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310876Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.519{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310875Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.519{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310874Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.519{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-7823-6197-DC9E-000000000E02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310873Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.519{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310872Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.519{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7823-6197-DC9E-000000000E02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310871Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.496{CBEA6AB7-7823-6197-DC9E-000000000E02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310870Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.101{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6585B8B3C05CA4A70FC1CC6C71162C9,SHA256=BBD9725C106486C5CC7CC580232DC5493C684AA2E64C7E12B3EA0EBFF33ECAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121374Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:44.358{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCA65B118318A2458989B51CCD28577,SHA256=C0FBAEF82997581DDB4A51496F5AA730FA69DB0AEFD96CB28DC52887A726E3C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310897Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.837{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7824-6197-DE9E-000000000E02}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310896Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.833{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310895Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.833{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310894Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.831{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310893Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.831{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310892Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.831{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-7824-6197-DE9E-000000000E02}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310891Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.831{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7824-6197-DE9E-000000000E02}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310890Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.794{CBEA6AB7-7824-6197-DE9E-000000000E02}7296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017310889Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.538{CBEA6AB7-7824-6197-DD9E-000000000E02}38528548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310888Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.499{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC117A77FD18C5E4B6F14260AE22BC0,SHA256=C8FA986E95ED2A1AAF5F2EAFBA35E2928B45E6EE5DF657C72B032BE3BBB27E90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310887Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.288{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7824-6197-DD9E-000000000E02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310886Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.286{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-7824-6197-DD9E-000000000E02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310885Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.286{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310884Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.286{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310883Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.286{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310882Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.286{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310881Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.284{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7824-6197-DD9E-000000000E02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310880Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.271{CBEA6AB7-7824-6197-DD9E-000000000E02}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310879Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:44.106{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAF0F90182C0362E5FFFF6A4A5E2C3A,SHA256=FC03EECCCFEF89AE7BE5F78A99E2CD878CC08826970ADC98BC8FF4D165ACFCD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121373Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:02.398{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-37594-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121375Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:45.407{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEA98D51A296D0154B80B97F8E636E3,SHA256=C61B419AAF6F5D86C7203F12702ACB26EDBDDE4701EA163C11EE1B5613BE01D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310908Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.852{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2F98E41F17A34759569FC7ABC8727C1,SHA256=004A544CCFD13A47EF2E872ED900F2FD9E2CDBDF3A37DCAFE890801BC10286FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310907Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.594{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7825-6197-DF9E-000000000E02}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310906Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.591{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310905Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.591{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310904Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.590{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310903Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.590{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310902Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.590{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-7825-6197-DF9E-000000000E02}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310901Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.590{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7825-6197-DF9E-000000000E02}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310900Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.576{CBEA6AB7-7825-6197-DF9E-000000000E02}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310899Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.119{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F58DC21C09EB6E3663541EA0E97E7A,SHA256=9814FEFD811A4C66F4E4425FD6122E837F2C258CC5CC39493B1740CF05D11140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310898Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.056{CBEA6AB7-7824-6197-DE9E-000000000E02}72965328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121378Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:46.438{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC2A4853775C9F8E7D3F8A7CF582AF6,SHA256=ACA62EC6FA13B58B95D12901C2A988F9199AC8F62C981804365652133357FAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310927Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.973{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97DCDA66950B00A581422D254983495A,SHA256=FBC82EF8C3BD426653E8AB6E3ADFD891574722B97C587ABFF5ABECC319A8CC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310926Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.963{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7826-6197-E19E-000000000E02}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310925Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.961{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310924Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.961{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310923Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.961{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310922Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.961{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310921Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.961{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-7826-6197-E19E-000000000E02}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310920Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.959{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7826-6197-E19E-000000000E02}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310919Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.948{CBEA6AB7-7826-6197-E19E-000000000E02}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017310918Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.449{CBEA6AB7-7826-6197-E09E-000000000E02}9605424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310917Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.280{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7826-6197-E09E-000000000E02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310916Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.278{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310915Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.278{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310914Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.278{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310913Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.278{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310912Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.276{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-7826-6197-E09E-000000000E02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310911Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.276{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7826-6197-E09E-000000000E02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310910Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.263{CBEA6AB7-7826-6197-E09E-000000000E02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310909Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:46.132{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BAB8FD68FCC5C91198FD341D58CDA6,SHA256=5F439A11A12864A06135F5FCB593700EB1FB376C27866BD8D216D60BC47F26F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121377Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:04.746{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse136.25.184.139136-25-184-139.cab.webpass.net54122-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121376Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:04.315{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.229-54277-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121379Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:47.438{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FDB2AAB6910F98018DC163FB8AEF81,SHA256=C110BC269D0D7593DE10BB21BBF71F5196DB373DB6F99B6121466FD1F9DE783F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310939Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.650{CBEA6AB7-7827-6197-E29E-000000000E02}81204628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310938Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.483{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310937Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.483{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7827-6197-E29E-000000000E02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310936Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.483{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310935Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.483{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310934Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.483{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310933Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.483{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310932Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.467{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-7827-6197-E29E-000000000E02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310931Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.467{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7827-6197-E29E-000000000E02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310930Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.468{CBEA6AB7-7827-6197-E29E-000000000E02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017310929Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.369{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-52390-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310928Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:47.145{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AE122ABF29B3BFFBF089CD45333821,SHA256=3D80682B6CF514C8B6949B6B092A0864284C0A685785AFCD9EC654309034F62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121381Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:48.458{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DE3910152C98B4F05DADE374715675,SHA256=30545FB2EB65B92FAFDA8C83832405E6C2650EEC3C00E9F73C64A4935E353F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310946Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:48.482{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D74798458993CC22A2CA2DA36602A7F5,SHA256=C3863615E2BB46FEFD13659C79E2C8B25DB7A2FF1A1F9F39984F8B401D938A47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000017310945Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:48.467{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\AlternateServices.txt2021-11-15 14:43:45.397 23542300x800000000000000017310944Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:48.467{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\AlternateServices.txtMD5=F6D2A6AAE1D6A2FE38038945AF44BA8B,SHA256=F7B2F7F63A8261ECC8357E2358BADEFB6BC984E38567F62B99C65E8298CB4887,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000017310943Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:48.414{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\SiteSecurityServiceState.txt2021-11-15 14:43:45.297 23542300x800000000000000017310942Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:48.414{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\SiteSecurityServiceState.txtMD5=75AB379F4C9AC39899F4B72D94E70D58,SHA256=54C57F44536C194653B61FD1E90C63D5529B81F55E47215A01308FC87C71E0AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310941Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:43.685{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60126-false10.0.1.12-8000- 23542300x800000000000000017310940Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:48.166{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37E1EE6DEEAE8C00CB64B153A7AC52E,SHA256=76CB7428DBF3949A87B8EAC2D7D7D4BC1FC568CD4BCAF03233BCCF052FCD7CC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121380Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:06.172{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121382Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:49.522{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DAAB204F584DAB360812BC88879E2B,SHA256=74DF7B586E5530F3D2108EA99C1A693B71A6CC96D85C65CBC29C9F662AA26A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310948Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:45.018{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60127-false10.0.1.12-8089- 23542300x800000000000000017310947Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:49.166{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB50DA06EA73B708C7A28B7329BA90F,SHA256=A249DA4173E2D1BA021BDCBCEA2D4FF4AEF7C7F706084638C8DD7A539F20B6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121383Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:50.538{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9426B6BDB9502A2BBF8F89C1D8A09127,SHA256=1B34DD784C0C74EAB0CFD1B1046C88C63722006A96CDC89CDBECFDC1DB910AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310969Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.765{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310968Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.765{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310967Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.749{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310966Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.749{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310965Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.749{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310964Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.749{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310963Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.749{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310962Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.749{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310961Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.749{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000017310960Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localT1122SetValue2021-11-19 10:10:50.727{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\system32\dxdiag.exeHKCR\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\(Default)C:\Windows\system32\dxdiagn.dll 10341000x800000000000000017310959Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.727{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310958Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.727{CBEA6AB7-6A01-6192-1600-000000000E02}12805156C:\Windows\system32\svchost.exe{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\system32\dxdiag.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310957Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.727{CBEA6AB7-6A01-6192-1600-000000000E02}12801336C:\Windows\system32\svchost.exe{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\system32\dxdiag.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310956Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.712{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310955Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.712{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310954Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.712{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310953Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.712{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310952Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.712{CBEA6AB7-6F11-6192-D304-000000000E02}40923604C:\Windows\system32\csrss.exe{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\system32\dxdiag.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310951Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.712{CBEA6AB7-780A-6197-D99E-000000000E02}60049016C:\Windows\system32\cmd.exe{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\system32\dxdiag.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310950Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.715{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\System32\dxdiag.exe10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft DirectX Diagnostic ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationdxdiag.exedxdiag /t c:\temp\sysinfo.txtC:\Users\Administrator\ATTACKRANGE\Administrator{CBEA6AB7-6F13-6192-9E98-2F0000000000}0x2f989e2HighMD5=547556E6022C3F8814D5C9D59BE746C8,SHA256=D035316F6BDF5009934565079CE30EA49A540492780CA476571C904B18C8518A,IMPHASH=BF1BC5E91C7FEDD371D86092799F9519{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000017310949Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:50.181{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5D95EA39C5385BBB7AF48CE433507C,SHA256=0D25873FA4DBAF19D4136E2BCB93E38AFDA38851196CF2D6928CBC0F8E062718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121384Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:51.555{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2E9DED78E907D590A7E70F8F6F62D3,SHA256=513A477E07C67088D787BB8A2FA556BBA1BAEE1172E8A3FBF385C38648197946,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310999Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310998Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310997Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F21-6197-CE9D-000000000E02}4324C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310996Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-68EE-6197-149D-000000000E02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310995Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-66F2-6197-D49C-000000000E02}4912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310994Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-66C3-6197-CC9C-000000000E02}7272C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310993Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-643D-6197-7B9C-000000000E02}6860C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310992Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-799C-000000000E02}3116C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310991Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-789C-000000000E02}4060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310990Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-769C-000000000E02}6724C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310989Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-643B-6197-759C-000000000E02}6696C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310988Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310987Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FD2-6196-8F81-000000000E02}7484C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310986Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FD2-6196-8E81-000000000E02}4732C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310985Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FC5-6196-8C81-000000000E02}8780C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310984Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-7D11-6196-3481-000000000E02}5428C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310983Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-7D11-6196-3381-000000000E02}7464C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310982Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-79D5-6196-CD80-000000000E02}9060C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310981Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-7907-6196-B680-000000000E02}8912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310980Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-7907-6196-B580-000000000E02}6088C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310979Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-78E0-6196-AD80-000000000E02}5108C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310978Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-78A5-6196-A280-000000000E02}2672C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310977Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.811{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310976Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.795{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310975Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.795{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310974Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.795{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-936D-6193-B527-000000000E02}6292C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310973Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.795{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F14-6192-DD04-000000000E02}4136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310972Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.795{CBEA6AB7-782A-6197-E39E-000000000E02}90045212C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F14-6192-DA04-000000000E02}3932C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+12100|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310971Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.745{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9740D0DFE0A9543908D97E3BAA1DF1D3,SHA256=913416C1E5ACDBA6ED0CF4D0B1597346DE84FA18736DAEEFC9A9DE963C1B8A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310970Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:51.211{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB14AD98E21A6A983BA51F8A0ADF453,SHA256=5DAE5A62A0A8454743B80CF6ADED518062877AEC2B7171AEDF34EBE29279B2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121387Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:52.590{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A985735F1901ED59AD67D29F7103D87C,SHA256=BB041F221A4F421B31EB5915766010CC2446A1031376106A208FB6FECAD6A4E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311001Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:48.731{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60128-false10.0.1.12-8000- 23542300x800000000000000017311000Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:52.243{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A13B0F87949C288F53DF6CDCF670E2E,SHA256=12A5893FE0D77861E28D066073AB7C9AC5C034E3521F6D5B27937C93C75CD036,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121386Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:10.993{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-48698-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121385Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:52.006{068A336D-6CBE-6192-9900-000000000F02}3876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121390Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:53.657{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54602DAA89E4C528EF0D47D8474535B,SHA256=4B3870174D2CA287D7E22AC5A3317A8609C2F510A1289A16AA362603FEC34B17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311010Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:49.526{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-38268-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311009Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.449{CBEA6AB7-782A-6197-E39E-000000000E02}9004ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\display.PNFMD5=F519164FFBB6CCE04EF60BEEE6723ECC,SHA256=CB8075EFC034B5CE528536BE7ED106C97BAF3D94BDC57FDAC1ED9720CB4AB4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311008Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.449{CBEA6AB7-782A-6197-E39E-000000000E02}9004ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\display.PNFMD5=E0A61D757A694BA56A6FC0181A577D40,SHA256=F375A18DF78628D2FFBC9FE5CE7FE9398F139D458EF51509F1B9A9767F77D2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311007Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.329{CBEA6AB7-782A-6197-E39E-000000000E02}9004ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\msmouse.PNFMD5=B0E2A6E15D02DD541FBD7E8B216E9533,SHA256=3D79F49AF7CAB1BDD03D28707D468CC917C89F89EB57AC3D3A3392180EFD38BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311006Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.265{CBEA6AB7-782A-6197-E39E-000000000E02}9004ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\keyboard.PNFMD5=99DD1EEC7486D801BEFF8A03A7FABC0D,SHA256=AC7137D20297B5A4C98B281079962BDA77E520F34CD0E21C765726B99D9600F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311005Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.265{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959C5B1CA7E1483902F744AE404FB00C,SHA256=D7D21C55C1ED3D91657F3353C82F84B562D0513A664D7B2500EDF5624A918D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121389Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:12.055{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001121388Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:11.218{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017311004Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.149{CBEA6AB7-782A-6197-E39E-000000000E02}9004ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\msmouse.PNFMD5=ED367E8487C9FAC07A82DD6578D17E09,SHA256=C394057CFC8AF05EA9121C01A7CC11760A200E2B530359E5DB1D9B3847AE6617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311003Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.149{CBEA6AB7-782A-6197-E39E-000000000E02}9004ATTACKRANGE\AdministratorC:\Windows\system32\dxdiag.exeC:\Windows\INF\keyboard.PNFMD5=D897FCA8E7DE480CC583FFD4028E925A,SHA256=CC2A2758D5A0AA69DEECFC5A7B0718F5BF0F7E54C605267A3980459E978C91C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311002Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:53.112{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C61F8B29313B4C9345F242A2E09E3A25,SHA256=E5BC739CE147FB8E70BCD20F5272C852E69A9B77E58CF26DBB7D350E36002B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121391Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:54.790{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7E399AEE81D779A90EA5249F120D5B,SHA256=1EB2A559835C4BA49CC0DE62340D94B34B30A8A525FA9BCB45CF25EC55208BAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311013Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:49.934{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-39154-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 11241100x800000000000000017311012Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:54.303{CBEA6AB7-782A-6197-E39E-000000000E02}9004C:\Windows\system32\dxdiag.exeC:\Temp\sysinfo.txt2021-11-19 10:10:54.303 23542300x800000000000000017311011Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:54.272{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7994638A890B8F1B7271CA6DFCE44799,SHA256=FF1A7ADAB62A23EFB02B534B43F5103B3246FB1EA2697CD21713088C9556AA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121393Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:55.806{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF7D5525FE22824515C9D0D156D6EE5,SHA256=2587F0FED4A00CFB67E4DE7F8B2F7204A69FB91B0EFBB707FC5025F0443C1667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311015Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:55.302{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F946115284C485EFB5953CD60BB05D9B,SHA256=1D2835F0897DBBF31CF664D12372B1F460D739D6F1E32AC3D0C41E6D459EDCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121392Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:55.678{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211115141851-5374MD5=7D5F4D75B6205BAE0B0CD245353355AE,SHA256=FF29CB026251AB2F621324A386EBB740C0EEF4A7746CD7FA9FAF12CBD8E709CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311014Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:55.186{CBEA6AB7-6A01-6192-1100-000000000E02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DAD17C400123E1035FCF5DBCF0874794,SHA256=C1D4660BCA389C18A7A2FC7A2EA11198DC5CD3F30D8B2A966DD290F016453576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121397Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:56.858{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFAE613BB28EE05BC40E747479F31F9,SHA256=FB333AEFF3F6BA6B517CDC7F3BA2310550F2808F0AF7656A7D38EF14748A0C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311016Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:56.302{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBFA6403F2321007649B635DB65D3E3,SHA256=E3FE064D5FA49DA15B571B3CDE6D4CCFA19CD247CD1CC9D2AC8B7C8853234C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121396Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:56.679{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211115141847-5375MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121395Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:14.706{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-34284-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121394Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:14.354{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-35324-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121399Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:57.924{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB53EE6263F57C59B0BDDA9A7A709BA,SHA256=707DD1F398E9C0011D9C603598916DB35F93B2A6749A74BAF63578349AA18AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311017Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:57.319{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E4B5F91F16DBD73DAD79E3376E270A,SHA256=478E66DB28F6BC19D67FC698FD4E390B63D473739A26A6F9A12D81666B16B0EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121398Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:15.974{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-59860-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121401Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:58.961{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D61727391AEB98684E7EC555D256E1,SHA256=0F886CB25E3D2C78B4A0C6BD558DC57C43EFC80492A484A2CB1A300598BD3408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311018Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:58.338{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CB1208BC238419C0FF73EDFA80E86F,SHA256=72BC59AF6E525AE7A9065D5619544D2A7730E79B4158E29F0E9552003F913186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121400Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:17.221{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121402Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:59.979{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3439A7B2D7AFBF3BE58DCFE6F205C5B,SHA256=5127D5A24D6B747BBAD1EAA6D6A890C60EBD8B10F40D6D40301472411A8C5FAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311020Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:54.621{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60129-false10.0.1.12-8000- 23542300x800000000000000017311019Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:59.370{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F125E0D060DDAE98CC17383ABFA8C3D2,SHA256=4F83C059202694629F9DED4CB273711E66570A3DEA8897704312A4A8C1835CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121403Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:00.993{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D279A6C4FE890191F2BA0F3DE2470771,SHA256=F9E3F041BF6C1EE940976084AEEC480ACA42D19C3CF2AE2DB2601467A72C41EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311051Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.869{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5FD4094578A491DE35E4392E83C80A,SHA256=586FE25B086AD2E9C6F4FC802CED644670C88D7AFA88C59760CE96C6FE46DC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311050Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.869{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB9081E0A7C705247E943269B559836A,SHA256=530CD84D12604B96D2FA004CCD2D7BA0169E711E99E9FD6D4AF37257138FDFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311049Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.719{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7E3E2F0491D955BC48A250EDC7D4C3A0,SHA256=6DFCE23E59A3266CDD8B8E5FF283EB924568B4004B8008C3B5EF6586760FC3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311048Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.718{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311047Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.700{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6056EF5BF27D3C0874CF03B36EECD11B,SHA256=E7F2BDAAEF4F690789849698072F17D89C35364E208A6C4C16F26F337F466925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311046Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.169{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311045Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.169{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311044Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.169{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311043Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311042Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311041Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18568668C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311040Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18568668C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311039Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18568668C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311038Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18568668C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311037Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311036Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311035Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311034Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.154{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000017311033Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.138{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-11-16 11:25:39.279 10341000x800000000000000017311032Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.138{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311031Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.138{CBEA6AB7-6397-6196-187E-000000000E02}1856ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=5EBBDE013764B4A527B695A01697C1B4,SHA256=5CA1D12A5810D6BBE4D5B98A8C653A70C83C7FCCFFE5AADF3B4663E20A35DB2F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000017311030Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.122{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\sysinfo.txt.lnk2021-11-19 10:11:00.122 10341000x800000000000000017311029Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.122{CBEA6AB7-6A01-6192-1600-000000000E02}12804880C:\Windows\system32\svchost.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311028Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.122{CBEA6AB7-6A01-6192-1600-000000000E02}12801336C:\Windows\system32\svchost.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311027Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.085{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311026Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.085{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311025Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.085{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311024Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.085{CBEA6AB7-6F11-6192-D304-000000000E02}40925240C:\Windows\system32\csrss.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311023Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.085{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311022Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.085{CBEA6AB7-6397-6196-187E-000000000E02}18566120C:\Windows\explorer.exe{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311021Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.086{CBEA6AB7-7834-6197-E49E-000000000E02}4260C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Temp\sysinfo.txtC:\Temp\ATTACKRANGE\Administrator{CBEA6AB7-6F13-6192-9E98-2F0000000000}0x2f989e2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 23542300x80000000000000001121404Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:01.993{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1304AD3BD4CA8E7DC8C24BC0552BF99,SHA256=C9FE1F14E6377F97BE88ED0ABF33218829A25FC42C85B730C9BE621856F8D60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311053Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:01.737{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBD5FDB72B6762BE7BA9E9B1BC094D9,SHA256=B7362823D062066FF9B318DF09027E86E56762C987F5BBFFDCDED8E4226394D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311052Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:57.262{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-55234-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311055Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:02.752{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24253E22DED982BDE05E3540936298C9,SHA256=722CCECA32A580700FBB1B9BEDCE7360B55E6254B30CEB22B5C894B80F00357E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311054Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:02.468{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5FD4094578A491DE35E4392E83C80A,SHA256=586FE25B086AD2E9C6F4FC802CED644670C88D7AFA88C59760CE96C6FE46DC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311058Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:03.767{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF28CC0556F24E5D2AA7CC6115C4710,SHA256=789A3E8CB043F5D514C2D727268310AA32D1282A7414603D83AD4A03C5534DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121405Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:03.009{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D6EF187C3F706EF2AB79C4FBAFF60A,SHA256=810D8478D2566B48AFDF31787E9494D79420D8CDF09D43B122700EC8AAF671DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311057Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:59.787{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60130-false10.0.1.12-8000- 354300x800000000000000017311056Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:58.860{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-57928-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311061Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:04.781{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4A71541AFCFAA8AA8AEFB200672235,SHA256=96D127E08172293341A99D3C6715667E772716DA4C24C65E9AF51712D824CE44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121407Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:23.243{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121406Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:04.024{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACEE7A6EE2093B61F2ADA5CA144A5C3,SHA256=D88C21BEED1B1C452A5177F2F22F798826B338E6005173BDE4BA887686A13C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311060Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:00.294{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.93-57456-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311059Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:04.016{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0283F05EE3C9A35523FD73E8DAC81DF8,SHA256=579B7C5205DA04F44AD5989ECA8E5C801CBC1D590B088DA6D2F43BB4FD1E4AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311064Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:05.781{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535546A30E358CCFC594424626193F4F,SHA256=35CE571606F4736147BFC730BC311CCFC804CD9B2289F968AC79485424E22172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121408Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:05.024{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6ED5A5E55BDB205EAC5A2AADDF040A1,SHA256=331E61292E89B5AA925FADA088FA2CB660251B213C841872EBD3D1E572DED1BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311063Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:01.512{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.155unn-212-102-34-155.datapacket.com61321-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311062Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:05.197{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29ABB890AF686F5683221767E68A232F,SHA256=7736028E7430F51D0C2B321CCC1E7A4A9591C3547F5A53E6F3C2CE6B10F13B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311067Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:06.782{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB39CA2FA6EBCD9E35E88AC58F6B392,SHA256=3CC742CD2B000CC49B6FFF852537D3D72A66917927AD93A4BBCA709B5176B35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311066Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:06.782{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=9ABEB22995FAA125AAFC48B7001EFAD8,SHA256=20D2451FB695C3F6F943ABE1A67EF3768758DD8AE54571FF3D951413DE18C99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121409Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:06.025{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A775E3DA2674F6DF745A93322B6736,SHA256=F705D2B812B57583AD1F5DECD9D621034AEEB3B3119086BF3E899A1BA3D30099,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311065Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:02.209{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-36248-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311068Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:07.796{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A26B73C59C21C52AF8D6DAAA91D126,SHA256=C2686D74F74FAA22E8F7B7C51013E2B45F9494E284DA1DF8A20504C0EFCE0BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121410Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:07.163{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6056D9E11878A336CC80EC799DA4EDD,SHA256=C1CE83706486C045E7F571AA7580565A2E0343D11D079E2CD88B5CF5F4690D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311070Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:08.948{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3AA86B093891411E5F1C02D9F6CDD7,SHA256=BE2BAA92A217838CA3855B5551D50E6BEDBAAE9A6E0A2E67ADBEF9244CFAC0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311069Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:08.814{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D0E35C415EE332053F91DD73DA0065,SHA256=BF4ECAD8E1218BDE9639F80C227965F7464139AE01965BA3EBEB586EAB00DA81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121412Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.775{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-33042-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121411Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:08.182{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8B8A58D41118C38E42AE85AE800CCD,SHA256=165D3FBFDE665F08E5D0C77A6CCF59EF773AFCB4E7BF02A0DFE68C232F1757DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311073Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:09.831{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E835C52026A91E1185353CB0F8C2D6,SHA256=7BE494D4E7FB4AE925BF188E255883D690E9B4F05CD4755AC3067D80F467EFA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121415Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:09.812{068A336D-6C46-6192-1200-000000000F02}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6B9F550457048C4F322939416C92DDE4,SHA256=A617E9838D8A16F4FDDE72C194993F73D8A67FD659E7669CABD549ACDFA8BB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121414Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:28.326{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121413Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:09.197{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1E82D5435D34792B23673EE1488B97,SHA256=433264889786AC878BBCB1C9CB5B34F52ECEB2C992B20091B06605D962CD9E7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311072Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:05.647{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60131-false10.0.1.12-8000- 354300x800000000000000017311071Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:05.185{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-43352-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311075Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:10.845{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58337138FA3F9CF7D2CC8F816D20BD19,SHA256=A6E9022C757A2585765F09B5E50EAA9436BADED14AACFF91DE5085463817BF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121416Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:10.198{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80C6F034A48F3583612EAB6E51281E9,SHA256=E855C4593731921CB18AB51132812E3DD07626807591009CE02B40208C617513,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311074Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:05.980{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-46318-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311076Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:11.876{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3F09DF95ACC1099C108BAF81FF4DC8,SHA256=0D9EDE1CCCB57BA628A40216201520C633646BC3F922564F11770BB11E617829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121417Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:11.262{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C06F70EEFB71747C7B050983E10F9A,SHA256=2B8B704AB88F7DE53B2B75DA99A2B1779C0B2EF9490B22C9809C0EA9AC537043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311077Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:12.890{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFF600DE5C1A340CFB4A39E65A7EED9,SHA256=3BE4277653B0F8CAB13DB400E5169D35AF480525902D04D3E1EB161461BE4429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121418Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:12.281{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363AA204D6ECAEEBE8F98B93778DE847,SHA256=E6BFBED554687657D63ADA0C9ACC35A6332A4CFB2BE76F261483FA02F20D0935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311079Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:13.913{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4864868D61E18DCA07AB71EACD6578E1,SHA256=151638AA7A47148284079C911D93366F4463BFD4A2041743ABF0245D5AE32695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311078Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:13.893{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D133B6B60AE9F39B0AF49FDF93969E5,SHA256=03DC380BF7781B49F360EA93F74875C31CAD71FACF629D5EBF5889FF3FADD191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121419Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:13.296{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC19AB62AB57F1DA1D1EA4F1B6833A6,SHA256=635AE7C2847BE3E5A1EB5579E13AB7D75756A7C03B4BD724CB27E6184A015EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311084Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:14.912{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4230869E2BC240EC00015C6BC3E9D8C3,SHA256=E5D9416DF83CFC4C977D421317969FDC1E5C6B8973A8603A69213E8DB31D7215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121420Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:14.311{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB24F324B498F5CD75238B5C3EE30484,SHA256=AE41B28D3A8DD7733DC75DCA147F2A7A5287E76A650574C21DFB735937A1FD56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311083Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:10.798{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60132-false10.0.1.12-8000- 354300x800000000000000017311082Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:10.690{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-55888-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311081Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:10.304{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-54244-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311080Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:14.309{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=19088527EF06FBD42FCDAC5C19EE1936,SHA256=C819BB568215541F142A4D4B6BB53ED97B3D7E2ABC321A1DF8156AD7D45031DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311085Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:15.929{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D6C80EAFE38BC44968ECB075D63EA,SHA256=64387323E4C686D168F9D5D463789F2946493B43FA5A555412D56E62ADAD2182,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121423Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:34.246{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121422Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:34.098{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-49762-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121421Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:15.364{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA211D8B1EF7ED1FD281E1F3686A00E,SHA256=78788C31C11E7DD0C8BD6DC987BFEECD341A91AB7CE5A0193BA59664D609947F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311086Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:16.930{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02FEFE0EDF905A4ED59A03AFB04303E,SHA256=C58DD7492404A66F0CEC43553247D7BE8A106863DFC4309FA2C7D855639374E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121424Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:16.380{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BDAB601849D9AF245A4E9950CC88F1,SHA256=3D3DC4CD6E76E2E557EB38FA2165D1AF9607F44615E22C1B5B729EB7D71F3B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311089Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:17.960{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7238AB1AD2C1031E875FE5995DB616,SHA256=937E16845848E42C424970431827CC077CB334EBF78432032E5B8F975B35D7D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311088Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:13.834{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-34772-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001121425Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:17.410{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542CE1B97C399EAC3BDA4787AA5FB0DB,SHA256=BB08199AF7B41EE621819EA1A71EFD64E88118BC34053849D641996782AA8AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311087Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:17.545{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6AC6B111430FA6E20CBFE8BAAB251D5,SHA256=01316406734C6F12A64F4BDCB7791B7AC21FD1F3163CEC5B7416A5FDC338436C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311093Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:18.990{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38330A3E1B9CB99786044BDC7AD07A4,SHA256=413B9DEC4D6421A71C517559878D4FE3893DC5CFF31E237E944EB62505F6FF4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121430Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:36.833{068A336D-6C42-6192-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-273.attackrange.local138netbios-dgm 354300x80000000000000001121429Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:36.833{068A336D-6C42-6192-0100-000000000F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-273.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 354300x80000000000000001121428Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:36.647{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-48622-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121427Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:36.039{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-47564-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121426Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:18.441{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E985381BBF74529DDAD1E5460F4EF528,SHA256=D53BB238285EF78639B6145B2929EB08EBECB19E37917FFFF57E44DA73BA79E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311092Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:18.244{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311091Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:18.244{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311090Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:18.244{CBEA6AB7-69FF-6192-0B00-000000000E02}624672C:\Windows\system32\lsass.exe{CBEA6AB7-69FF-6192-0A00-000000000E02}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121431Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:19.460{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4483D214B5983E0CCF741281C53CBDA,SHA256=ECF48AF69560B9CAB91049ED56BCA9680AFF0E81249A679EC2F558EF2BE032A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311096Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:19.327{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=A9111996FC1B1C3497B88ECE63E2D0EC,SHA256=0E42B7B72AB1AE4A56A0E217F02C4C02554AE8D7AB506A67D0DF1F2ABC642C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311095Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:19.259{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A39634B32A4C63F84AEE545D46A30696,SHA256=79E9A1970C685EB25E07E8999BB65BF7A93DEFB47B273BEED4DED09B84DB86C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311094Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:19.259{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=349C1A68D162A12F1BD262C240BBD2CB,SHA256=DB627E9384C1EAB399ED5A6E3661F8837250328AAF33060012F1CB3370C0D3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121433Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:20.477{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE817C84F47E48CD1EF0258C15DA4224,SHA256=5AE0FA43D4DA6659F45F391CB6D8DF316C874D9A1F89366BFDA1B2BDBFF9789F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311100Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:20.011{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6BB5E78931AE1FE8DB0BBDDBD8F911,SHA256=FB91DF5BA97F20AD39A5B00E77F65E6CEDEE33349DE83705404E504805FFA8C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121432Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:37.856{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-57498-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000017311099Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:15.809{CBEA6AB7-6A01-6192-1400-000000000E02}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-970.attackrange.local60133-false93.184.221.240-80http 354300x800000000000000017311098Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:15.805{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local59992- 354300x800000000000000017311097Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:15.805{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local57813- 23542300x80000000000000001121434Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:21.507{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F064D279BEE89237EBA6D9083CD057E,SHA256=C75D9EB8635AF5E6254C2CA6FAC06F7AE8933EFDCC8F642E68934F9E07E69167,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311102Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:16.610{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60134-false10.0.1.12-8000- 23542300x800000000000000017311101Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:21.026{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919646F4CB3353DB2804B4FB8CFDC575,SHA256=A9464D2C213B7FCC51F5428F48A906A5CF47E9647B9BFA5AA4C09261C289800A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121435Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:22.608{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EDFB0DDA546EAA4E678DE65E0EE3BD,SHA256=CD90AA5FFDCBFC18EA50BA02468D5710A091ACE117B79A5542A49D3349A3D186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311103Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:22.042{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9559FCA300432370D75F98F85EF2BE0,SHA256=6D754E564FC4203133795C238A80265923739B8196C00830C36A401A6C412715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121437Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:23.639{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8DB4C4C681CCB71D840346EF92E70D,SHA256=D0ECDC2B9982184C6DB6DD40FAC1EB24D97F7C4E8078CE7C2D9EA04A0C6BB773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311104Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:23.061{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D471D4304CE39745473AB1AB80C08A2,SHA256=C12EAD2D7650E285CFCAA24306FC7ED04FFCEBD74616C87F3C4EED655015C58E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121436Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:40.222{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121438Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:24.676{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F495DEDC222FBDB0335DA2CF6E9E70D,SHA256=560110E39C52ED64F1B159DB1CA4012D21C977F8D1896ED70762E93C43FE2482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311105Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:24.076{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4DA3A6A53EE6CE44F97129100CC5F6,SHA256=C0DB5E7D45AC8C06220CD5EFD716D3824FD92BDB0FFD4BAEC2DF6887805AAF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121452Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.706{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1D4B45F762674FEBC727FAD381ED1A,SHA256=41E3958C4D8B4C74C8D0204EFC77D544AE2DEF5DA774130C067A5C2F356D703D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311111Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:21.659{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.82.77.234scanner.openportstats.com23459-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311110Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:21.626{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60135-false10.0.1.12-8000- 23542300x800000000000000017311109Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:25.322{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6105E3F5337DC2848C468A5A9A02E5,SHA256=451F53B9AE9D1F4348D3DEF60BAD34F4B990D8F436EFEC6F999AE2A5529DE526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311108Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:25.317{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B35E5C04EAD8DF8FECFB147C0CBDCBC6,SHA256=F37503CE3D70BA4D7BE27DC0F8B4A06BFCA3F3129639CC59E49EC5824F34042F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311107Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:25.309{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211115140924-5383MD5=B1D65678BAAFB9FBC346ADDC22B9EF13,SHA256=A60E4A1EB0B1846EE4D092EA74D659E3EDD5022A58AD08DA4DCF9E97FBF70157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311106Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:25.091{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53943CDAAC45AD882237B419A975A973,SHA256=75D17A8FF47A938AF3A272FFF9A28AEE7BD4A0161C1D0E261C4A487F20E6A34C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121451Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.675{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-784D-6197-8FA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121450Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121449Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121448Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121447Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121446Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121445Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121444Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121443Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121442Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121441Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-784D-6197-8FA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121440Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.659{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-784D-6197-8FA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121439Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:25.655{068A336D-784D-6197-8FA1-000000000F02}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001121479Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-784E-6197-91A1-000000000F02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121478Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121477Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121476Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121475Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121474Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121473Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121472Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121471Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121470Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121469Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-784E-6197-91A1-000000000F02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121468Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.847{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-784E-6197-91A1-000000000F02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121467Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.833{068A336D-784E-6197-91A1-000000000F02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121466Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.716{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77A8F6ED7039C24B092124F3D00E6CC,SHA256=3E55E031A8E8C7E6F916B632E677EF5508FFB6EA67C3A55D3A212E0CC07AE596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311113Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:26.328{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211115140922-5384MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311112Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:26.109{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890EC482E183C3ADABDFFCBB166C82D,SHA256=607A39DCA25FEA676D705A495AFB922687E918BEF635B14AA1931B6DCE76FB90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121465Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-784E-6197-90A1-000000000F02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121464Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121463Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121462Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121461Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121460Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121459Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121458Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121457Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121456Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121455Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-784E-6197-90A1-000000000F02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121454Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.259{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-784E-6197-90A1-000000000F02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121453Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:26.239{068A336D-784E-6197-90A1-000000000F02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121510Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.985{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6046FC0A290094F7E097BE84F83E32C8,SHA256=2A27E778A2FA19FE2DB8AFC046180F46CDB069602B205E8BBBD9DF17D2FC63C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311114Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:27.127{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97943F33F98A1498E1D415FE61D3604E,SHA256=1B291E49C85859CC36A1DAD2A703E2BAF9BD37017F1FA84884D1228E028D887A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121509Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1D00-000000000F02}2008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121508Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1D00-000000000F02}2008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121507Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121506Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121505Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121504Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121503Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121502Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121501Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121500Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121499Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121498Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121497Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121496Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121495Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121494Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121493Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121492Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121491Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121490Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121489Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121488Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121487Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121486Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121485Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121484Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121483Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.432{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001121482Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:46.124{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121481Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:46.119{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-47876-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121480Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:27.049{068A336D-784E-6197-91A1-000000000F02}28806636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311115Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:28.141{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A84F6984A07FE5F29E789D0BD81E63,SHA256=55DB11729A9C6851429E3441261A0D6DB4336F1CD5F3E14E4ACB3FD9875EEC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311116Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:29.156{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483397C337B05395441D941F829C22BB,SHA256=A9A1BB2F0FEF3A256F612C9D2FA1EDDD8D95B9B3D7DF61F4DFED05FB746553D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121542Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.932{068A336D-7851-6197-93A1-000000000F02}20526528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121541Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7851-6197-93A1-000000000F02}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121540Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121539Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121538Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121537Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121536Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121535Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121534Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121533Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121532Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121531Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-7851-6197-93A1-000000000F02}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121530Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.716{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7851-6197-93A1-000000000F02}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121529Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.701{068A336D-7851-6197-93A1-000000000F02}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001121528Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:48.159{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.114-64987-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121527Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:47.913{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.155unn-212-102-34-155.datapacket.com50537-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121526Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:47.553{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-50902-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121525Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.300{068A336D-7851-6197-92A1-000000000F02}52123328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121524Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.047{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C578C43E583421D1DDCA25BCAF598A7,SHA256=F1ECC34D403FF829C4139EDD14A92F48B50FCD900B4F3FF8FEC8C69AD7187966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121523Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7851-6197-92A1-000000000F02}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121522Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121521Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121520Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121519Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121518Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-7851-6197-92A1-000000000F02}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121517Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121516Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121515Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121514Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121513Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121512Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.016{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7851-6197-92A1-000000000F02}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121511Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:29.001{068A336D-7851-6197-92A1-000000000F02}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001121569Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7852-6197-95A1-000000000F02}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121568Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121567Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121566Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121565Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121564Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121563Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121562Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121561Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121560Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121559Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-7852-6197-95A1-000000000F02}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121558Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.948{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7852-6197-95A1-000000000F02}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121557Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.933{068A336D-7852-6197-95A1-000000000F02}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001121556Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7852-6197-94A1-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121555Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121554Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121553Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121552Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121551Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121550Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121549Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121548Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121547Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121546Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6C45-6192-0500-000000000F02}4081012C:\Windows\system32\csrss.exe{068A336D-7852-6197-94A1-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121545Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.269{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7852-6197-94A1-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121544Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.250{068A336D-7852-6197-94A1-000000000F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121543Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:30.069{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25AA43B980AED2976AF3B5FC29E0471,SHA256=226C5F473607F1D7DA1BF29EE6241515A061DBFEED0076AFB6E95F07D3FB2B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311117Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:30.170{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2136846F37D791079184260A0923A9,SHA256=F1B80045386D39A58E1435BF1EAC67B56A96923C1D368647020FBCF2B953B5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121572Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:31.385{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B68A8F15604C4257AF4CF54253F282,SHA256=0DA78F30DD07ED8FBD17C9D2FF226707AA99078A790423FD1D9F124CB74B6578,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121571Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:49.776{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-55952-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121570Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:31.169{068A336D-7852-6197-95A1-000000000F02}49525768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311119Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:31.185{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1422B05694258542AA07B5B75F272D9,SHA256=B3BE4F862F8C16814B7449C104D243B0D049B400C25316DF94A519630ACC8C58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311118Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:26.638{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60136-false10.0.1.12-8000- 23542300x80000000000000001121573Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:32.232{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194584F14614CF853E15D1E636BC4A7F,SHA256=C27BE632B28ED0C3CFBB128A19661AA42DCE0E23B8015FCDE650C93D75C65153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311120Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:32.202{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73037524F0574524D7ACBD43965DCED4,SHA256=9B841B5590C4DB44E1144214AE527CC0D4E28AC4936BEDBE1E7E052F5D7294C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311122Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:33.967{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=004458B2650ED84C31DD9E14C7962651,SHA256=F83D1F76439248DF58CA2B6260EB4BC941241B25A4C43E85FEC84A03A8F735BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311121Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:33.221{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706B9E4806D441404F43486FA52BF354,SHA256=BF23F92132605A5CB2379845189813BE319FC001E317CD49B4B1B186FDFC9A77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121575Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:51.149{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121574Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:33.267{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424FC9E7C82F7C453680769DE2609597,SHA256=A227E43AB25DE1B36D03CDAE3FBC21DF5FBF67CCCDB321C4BAEED77CD71177B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311125Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:34.420{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1F13BA9D42FDDDE833421BA600C7AD,SHA256=76C3E68D93952A012F12E541832A66EF026F5B167FCD299673F3ABDA1F71865E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311124Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:34.420{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6105E3F5337DC2848C468A5A9A02E5,SHA256=451F53B9AE9D1F4348D3DEF60BAD34F4B990D8F436EFEC6F999AE2A5529DE526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311123Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:34.236{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516306A9FA0D55268D47EC494FEC2EEB,SHA256=AECF93B6B9D45562F672E8A686763E48519EDA7374E7FB03F48C8F92312F096D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121577Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:52.353{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse106.245.140.119-62830-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121576Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:34.270{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E579EEC4BE03118FA5D322AB4C4E776,SHA256=17514EE34CB6030C5C499BCA932788197949091451D1D64A3FEFBCE6250E54C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121578Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:35.317{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8B454194ECED88CD63E6263D899A8D,SHA256=E91E5D2AE8B86D37181B522C28E5579E34B232A4CCB4918A65543688D37F6DCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311127Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:30.151{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.114-56165-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311126Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:35.251{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50A08513DDD6D8A166C294BE5D0C996,SHA256=5B1557798C72A8254252AC7DB9C96177D72934A88119C47B8FCFD4A250E0F3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121579Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:36.385{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3067BB88172CB5086A6CAE44E547B862,SHA256=15B1E2F9B0498A4E30399FBDBA60A107567A9BD3E4FF8F431088CE9EC4FC7918,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311129Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:31.649{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60137-false10.0.1.12-8000- 23542300x800000000000000017311128Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:36.265{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F96852FD2468A18A35712BB41E997F9,SHA256=51327CB726AEAA3F0A7F9F120551AE6CF83ED6B909874FF66238EBA7FBD37496,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121591Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:56.185{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121590Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:37.447{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC1CB79DE94789E0EE8A6DFAFA1A767,SHA256=281B15C68A8853A1880557E99A282455448091F68C133B2D601338EB97090212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311130Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:37.280{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E905CA06AB0D12F950652552DA195DB1,SHA256=BFCA76A756B4D26BE0EDD6475E5795D515951C10291EA0F5999D79FE3975048A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001121589Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001121588Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x13b78bc0) 13241300x80000000000000001121587Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7dd25-0x77702571) 13241300x80000000000000001121586Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dd2d-0xd9348d71) 13241300x80000000000000001121585Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dd36-0x3af8f571) 13241300x80000000000000001121584Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001121583Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x13b78bc0) 13241300x80000000000000001121582Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7dd25-0x77702571) 13241300x80000000000000001121581Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dd2d-0xd9348d71) 13241300x80000000000000001121580Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:11:37.184{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dd36-0x3af8f571) 23542300x80000000000000001121593Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:38.466{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9A32285709F11129870D03A30AC703,SHA256=84CC7EEAD96DC1D870C3E1166ED9D5DA82866AC1147520FCB2B880C5B6A47BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311132Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:38.780{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1F13BA9D42FDDDE833421BA600C7AD,SHA256=76C3E68D93952A012F12E541832A66EF026F5B167FCD299673F3ABDA1F71865E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311131Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:38.300{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FE466DF313430C624079CAF89A81B2,SHA256=BDB8BC9E985E9DE8E5E0E54530277FCC506FB586BF1BD89D0FA7138779DC05C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121592Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:56.799{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-42764-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121594Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:39.531{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C219C74DC81DD33D52A7B681C263F8,SHA256=D5CEE26B57DF19CFA1030FDDE455B959EC8A64B723377DAF0CAEFDE4FF7B5F7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311135Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:35.315{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60138-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000017311134Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:35.315{CBEA6AB7-6A11-6192-2700-000000000E02}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60138-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000017311133Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:39.317{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BFF4FB920385867B60B41ECF0D5BBC,SHA256=F7682163E7FFD4EEF8ED973C87D29771E56D495E39703B8EEF9ECF24C4E3BD6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311136Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:40.332{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6388D2895DC55E1C7B04EDD753397113,SHA256=D991B60AFFC2C6DF35F26C740FF9747715ABADECA542AD01F36BD8B2117CC143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121595Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:40.566{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2402939257DD87CF339A02230BAE552,SHA256=225863664CB102FFAF2C2D48447A037F6731C97B8AFE25F3771459FC212D9300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121596Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:41.599{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E1882CF402CFCC61375BA332FB06DD,SHA256=242B5A8535DC75F1BC049F2305620B3500DA219EA5304D4204D4524642DCFDD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311138Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:36.748{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60139-false10.0.1.12-8000- 23542300x800000000000000017311137Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:41.346{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDC8AA7E66A837C3B64DA293AD1271F,SHA256=BD5A77CB7CDC8404ADBD5AD80E73C2D8D4530F788386363842AA6A3DB222B3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121597Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:42.766{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E07F22E75E3B2E0364FF1ACC3360A1,SHA256=1CE79E165F7136001127EC72ACE13268C3585F50AB808EEF5753E4962C9F108C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311139Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:42.377{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A58E9AEAF967A14A59D92973E02963,SHA256=DD0518D402DB82607A2808F7D47F8794B1A2468CA3DD8A44F8326CD3AE104E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121601Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:43.768{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349A529E674F63CD13D9A2466BA821EE,SHA256=588AE774D36AAD6C9F5EFB37E26F199B1C8FC6E6F6D249CDBED7EED1B77BD26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311149Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.992{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=D5AE9CA51C1D23F535E2782B5E503DAA,SHA256=5903EFE50C499A255900E4536E45B3CF9DF5E9CABD7824BE31DD698625A06F41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311148Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.475{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-785F-6197-E59E-000000000E02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311147Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.475{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311146Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.475{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311145Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.475{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311144Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.475{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311143Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.475{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-785F-6197-E59E-000000000E02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311142Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.475{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-785F-6197-E59E-000000000E02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311141Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.461{CBEA6AB7-785F-6197-E59E-000000000E02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311140Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:43.395{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC234289D59042D0A0AE50D0D5E18CB,SHA256=EAF9E01A25083BFDCA9EFCDFBC9108BE86A6ED2EBD01595207BB8805E4F20D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121600Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:02.235{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-48326-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121599Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:02.200{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-54868-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121598Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:02.115{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121602Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:44.783{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C2DC8A03DF750C88D564C0B22DE0D4,SHA256=AD288FC6182F7B05D41A493978AADFC9D6AA7EC20C236FF6EFDBA3DBBD9BB777,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311168Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.829{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7860-6197-E79E-000000000E02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311167Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.829{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311166Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.829{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311165Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.813{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311164Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.813{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311163Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.813{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-7860-6197-E79E-000000000E02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311162Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.813{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7860-6197-E79E-000000000E02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311161Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.814{CBEA6AB7-7860-6197-E79E-000000000E02}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311160Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.460{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=812B2070DEE37C6D56EF46817D960216,SHA256=912C3ECBA6FC5ECDE6B7144743A0477D08A87EB69A4AF7CB731BD530F9073CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311159Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.460{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44E59E89740AB958759F7E82A26498EA,SHA256=CD85BC157424135652149EB7E0E6F5430AB610C46BF84FBCF877BC0007D50613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311158Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.413{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59362F8DF0B0BD5817569C9EC8A1CB7D,SHA256=9A6064159B48EEC29E82BE5F35F55D273D968223315BA32DA90FB580EF85E98B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311157Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.144{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7860-6197-E69E-000000000E02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311156Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.144{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311155Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.144{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311154Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.144{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311153Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.144{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311152Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.144{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-7860-6197-E69E-000000000E02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311151Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.144{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7860-6197-E69E-000000000E02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311150Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:44.130{CBEA6AB7-7860-6197-E69E-000000000E02}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121603Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:45.830{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969C25DDE006C72EFF06F2ADB5E5A813,SHA256=742B0EBA610A84B57241920F35A3D65B33C270AFE561EFB931497F3EC8627CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311180Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.814{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=812B2070DEE37C6D56EF46817D960216,SHA256=912C3ECBA6FC5ECDE6B7144743A0477D08A87EB69A4AF7CB731BD530F9073CD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311179Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.677{CBEA6AB7-7861-6197-E89E-000000000E02}51644232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311178Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.499{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7861-6197-E89E-000000000E02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311177Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.499{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311176Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.499{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311175Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.499{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311174Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.499{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-7861-6197-E89E-000000000E02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311173Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.499{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311172Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.499{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7861-6197-E89E-000000000E02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311171Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.494{CBEA6AB7-7861-6197-E89E-000000000E02}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311170Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.415{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600777E19B625DAAB5E05B63E23776DB,SHA256=5BA9ACFD3B755E04B9F99F6AC9E2242671671268039296F401B89D248DEBDAF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311169Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.061{CBEA6AB7-7860-6197-E79E-000000000E02}52165320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121604Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:46.845{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02609148860F87922E9709B1EE2E2A80,SHA256=AE380F297D095EC068C7DEB085924028D197614E6AF0FADF6D87B130866CF12E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311198Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.862{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7862-6197-EA9E-000000000E02}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311197Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.862{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311196Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.862{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311195Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.862{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-7862-6197-EA9E-000000000E02}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311194Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.862{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311193Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.862{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7862-6197-EA9E-000000000E02}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311192Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.862{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311191Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.848{CBEA6AB7-7862-6197-EA9E-000000000E02}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311190Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.432{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C845069A8A71921B96195C9D853750B,SHA256=2B7F49A39D37441FED8CC2A1A8F18D0B7E6A17CD5D326A49C35A85ACC2F1EE6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311189Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:41.795{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60140-false10.0.1.12-8000- 10341000x800000000000000017311188Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.176{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7862-6197-E99E-000000000E02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311187Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.161{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-7862-6197-E99E-000000000E02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311186Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.161{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311185Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.161{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311184Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.161{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311183Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.161{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311182Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.161{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7862-6197-E99E-000000000E02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311181Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:46.162{CBEA6AB7-7862-6197-E99E-000000000E02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121605Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:47.862{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C1645793358552761D3E05EAC45565,SHA256=917B67800AC63757B8C4807B6C45E18E79E83B523346230E5BE3974AB8930AA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311211Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.700{CBEA6AB7-7863-6197-EB9E-000000000E02}81606756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311210Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.530{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-7863-6197-EB9E-000000000E02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311209Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.530{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311208Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.530{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311207Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.530{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-7863-6197-EB9E-000000000E02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311206Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.530{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311205Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.515{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311204Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.515{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-7863-6197-EB9E-000000000E02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311203Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.516{CBEA6AB7-7863-6197-EB9E-000000000E02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311202Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.515{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311201Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.462{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C4C8BFECFCC91D9FE0D4E08590039B,SHA256=2E95802015259AFD528269FA8353A37CA95BAAD9E3DB4B354E0130109C164197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311200Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.162{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=639C206A30D361D12BC9AADACAF42F0E,SHA256=0CE9BC6B1CF8B6C78DE9D21BC0E9DAF81899572CF49408CA8E4F2DDFD738E70F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311199Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.047{CBEA6AB7-7862-6197-EA9E-000000000E02}72807708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121606Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:48.996{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8A46D64478A53257B6FDF71EB9C96D,SHA256=C9A4FA74E47A8ABCE453DB6149B04FB8511B9726129AFD1A1F0A05B66BABA92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311213Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:48.530{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405C946A2CE1D1A9D77F503E5A8F6DFA,SHA256=BEFAD549D3FE2ACD459F4B170F21B409AD40CEA662A2FFCADF2CAE2DC327D48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311212Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:48.477{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8860A2C8BFD66A74B43DD2D9797C5D7A,SHA256=83249F738FA3186F51F9A34B5E48974A199F8EF1A6440AE49559FA415310F180,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311215Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:45.044{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60141-false10.0.1.12-8089- 23542300x800000000000000017311214Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:49.494{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8208534200F6A9D02530AA791834DE9A,SHA256=4244BB50672805BF263CDEDC54C0D0D5FDC6CD01B599CB909EC653F8BF66EBEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121609Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:08.537{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse85.215.224.154ip85-215-224-154.pbiaas.com62081-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121608Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:08.132{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121607Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:07.707{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-38812-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311216Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:50.513{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C842B9D20D24B6005E9F3BA9978A694,SHA256=38D3F73A82D5064D888EEB51ED2962296ED113C9BDAF1C9677EA8935C411E95E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121611Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:08.836{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse85.215.224.154ip85-215-224-154.pbiaas.com62246-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121610Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:50.195{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3243901B51A9AEE80F5AA8C1637A3C5,SHA256=9A29BE228154826884C50DFECD2C1A90645155A3FCE48EA84BAF8D3B4B2876B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311218Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:51.527{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D2A03B10D4CC896C025CD367A97587,SHA256=417BA75033C75B706FB0845064F768EC46D510A254528ABEA0B9B690152F5CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121612Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:51.211{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B91DEC07A0DB4065103DDBB37A2AC4,SHA256=9C4D09610BFDF844515FF522F1CE23858FCDF9C498CA31422C796A5FCFB8AE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311217Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:51.275{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06C3DF8BFD0C2B49133CD0B05DBE9EF1,SHA256=7EA29B696FE146A3AC004FB3BEA7E1A8462C2A35784D58BD5FD6EAD26402870C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311222Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:48.140{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.59-4080-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311221Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.764{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60142-false10.0.1.12-8000- 354300x800000000000000017311220Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:47.409{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-53162-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311219Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:52.542{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E58D4B91ABECCEFA770C9CCB694D8A,SHA256=0415F27F1539A2D093E3AAE0BF5E5C1354FE119F373B68BB071EE304BF753C8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121615Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:10.550{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-38654-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121614Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:52.260{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08F2C762B59DF170E9A0910CFEAB2E7,SHA256=6DC8355CC6BF9988EDF507C2CF9E6ECB2DD15EB36A70C9007C65906D0243F0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121613Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:52.026{068A336D-6CBE-6192-9900-000000000F02}3876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311223Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:53.557{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D81740427C1315AA43ADEADDC6EBD00,SHA256=FBDA348998F74BA62B854C557717592C89892BE946AE700D63D3B1CE763D70F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121617Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:12.080{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001121616Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:53.279{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CBDBB8B896249BDFD022D499281CD7,SHA256=A9FCCAE903DF60A4974679671C2C304F4E32F2319832D7A7FFCA4DDABA7A1C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311225Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:54.571{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B11FB2ABC7282F5BB45EFCC6653B631,SHA256=41FC29BF641835F9252FF7BA79457327AE30E985C3CDF585B1B82C298C8CCB04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121619Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:13.179{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121618Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:54.293{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C778B6A2579226838CDDE3835863F0A,SHA256=952C431EC5CD155006BCC2D7FB79219918A51CEA75D14B063959E1B17DA6E6EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311224Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:54.540{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522FC45CEBE201098F16704D91ECE25F,SHA256=49107E43670027E4082FACE6A80CEA0E2B8D23709A1F468BCBF55C97CC37EF77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121620Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:55.308{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B609E7AE6AA4D31CB8DACD0030E2CB0,SHA256=8D48A3FD33E11FB82AE94EFDD37D6ABC38EED50A4F45F1F54B8A66F718E7BF0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311228Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:50.947{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-57838-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311227Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:55.590{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85126212397B313C87E5F632295BA4A4,SHA256=82B89B9180601EE7712BFA6CC8DAABB86EF6A1AF10EF25197B2DB664404F7EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311226Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:55.187{CBEA6AB7-6A01-6192-1100-000000000E02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=315E2D5643439E94E50518943EA0AF5D,SHA256=F7371D36AACDB3812283A8DB02D035476FA6AA3AA8F7659651DFA00156DB2C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311230Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:56.688{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEF3DFB9E64A30CEB74C4840662A38D1,SHA256=A28ED4B0F07CFFE6ACE57AECCECCB27F23ADDA1D8B38DAA4DABBBC2E1A2D0525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311229Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:56.607{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36ECB47BFCDA8F95940FBEF6A75B3A3,SHA256=93417402A25DF741D577147924BEB7E06DA7F4FD18D7FB8F5E2DEF3FE6F327A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121621Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:56.325{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCEB8A62829B8DCA9FF415B60FBEC05,SHA256=A75590112B43DD36E7C2488077EF112612A778DC6B984384E66F7F98E1B944A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311233Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:53.589{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60143-false10.0.1.12-8000- 354300x800000000000000017311232Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:53.039{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34354-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311231Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:57.621{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFA1A11ADC098CEF9C594EC3A79EA90,SHA256=A4DD363E5DD1F07711AB063FDD654B48C573325BE821C2D13B83AC27F178E595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121623Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:57.359{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719F1FEF152ED7BABC5BF0F6DD3A312E,SHA256=206A592DE70CF414D37BAD852DA6DCE2E36DC7B220260D00FCD1A5EE3FB18660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121622Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:57.196{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211115141851-5375MD5=7D5F4D75B6205BAE0B0CD245353355AE,SHA256=FF29CB026251AB2F621324A386EBB740C0EEF4A7746CD7FA9FAF12CBD8E709CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311234Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:58.636{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E087607374E655F6F41EDD00128DA3,SHA256=B38943C9095FFC21AE804789025F87449963BA4CFBC73AC6A221845165ECD197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121625Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:58.408{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150873BB09B260F2B2A47CE026FA2EA5,SHA256=8A1ED2596748359BE94AD46473E98D841E99F28FD40715555B3FB866294A7CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121624Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:58.210{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211115141847-5376MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311237Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:55.832{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-42974-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311236Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:59.651{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9013734FE11DAEE8F2BC4FFEDFB5F9,SHA256=C40181ED10D81BDA8650E6D30CE7D1CE320A5C22CC87784FC9CC7ED4224EC3F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121627Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:18.409{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-33738-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121626Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:11:59.424{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DC882881F06AC5C08AABC81852218F,SHA256=178181D94ECD9D60B71E9CD119EB01EAE2230C0960261C0CC6CDF036EA2481A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311235Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:59.420{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7591DD41C61FB6CB3E02241364ED08C,SHA256=E4A70E71A66EF4CA7125A0FB4AB6370FF6C2006FB719F4F1497E436497384547,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311240Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:56.647{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-44530-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311239Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:56.319{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-43874-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311238Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:00.653{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3E7723503DDB57AE550E4A1278C896,SHA256=F5E44047A4B485EA7FF8CBD5552550A57D2BEDB9EFFE0EA0056EF589B4D1D1B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121629Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:19.125{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121628Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:00.457{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659573E5002ED672192B743A8858644E,SHA256=09D25EFCFE72252DF7648BFD80E4E11CDF6028AE9D2D34F554A276B9234C0264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311241Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:01.668{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5353DBCEEF74A93BBFA2BD2DC0A6D5CB,SHA256=AD4280E2283D98DD65D782E006376627EB02CD76208ED138D52D63A11675DA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121630Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:01.475{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84245A763794691AE336150FD0FEB1FA,SHA256=6127FCD32A420C214B6213F1B09E976AF64A48336395A1F8C4D3563F6C330152,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311245Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:58.618{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60144-false10.0.1.12-8000- 354300x800000000000000017311244Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:11:58.278{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-48514-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311243Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:02.686{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F934E418EC9CC69CF92A0BDC5589E4B8,SHA256=D4EBAB3244142E8F39FB13BC3FD1D2E1E9AD8A8CEBD3FC66FBB9E9D9A4441C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121631Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:02.506{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D2094F7304D8AFA0D89DE4C21F9E64,SHA256=2AD958BB76D21FB9A0CCF441EBC85EADF82AB676649AA0A342DCB6D01ACF2FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311242Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:02.006{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AED0ED30A1824A8A7A0B29F41FD3B67D,SHA256=F706BC3AA961E2A51ADF59A1BE7F87AD06A6EF629F9F44F4D5672A9D8DCCC672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311246Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:03.690{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF0DFE06DE1F173FA582A12F049ABBD,SHA256=BE3093E1F7F45CB8E2D7A65FF6CDE5D8EE10112E9F455E98810E82AA04400C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121632Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:03.522{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BA40F6813021196E00AA5DA549405D,SHA256=272B32AE0E3484A59CCEFA0AD3D2DDA0E63C4EE7720A0F9DA1A920F831F7D3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311247Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:04.704{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4BF450676160C93F355D13DDC780B8,SHA256=14ACD4968E7EF2A091A957B7B3852AADC35B22654CB60CFCC938ED9F52915374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121634Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:04.555{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BE2E9075AF4A88D7DC1C4A1FBF4FC6,SHA256=FD8D93556FCCBF32A1FB6926ECB565C382F9D82944FA7487A7D9DE96D739BF78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121633Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:22.617{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-44102-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121635Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:05.589{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB9A9717DD60849AAA1B173897F8E89,SHA256=487A9B630C1DF43173410BEDB17C61E225AF7DC491788925EFCB5843E1E3472D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311249Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:05.719{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B9EE57C345BFC96C641E3DF821A7BA,SHA256=58BAEE1B69E3424B87DE0F381378D49FCF921480977A2CADF5B9662633BE321C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311248Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:05.485{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5B523BABDC68A422DDCE87FA95BD28F,SHA256=88987DF21AAD1922F8FDDD75EA62568DCDBAFD03341CECDF0862E06F610CCD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121637Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:06.604{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC53055514B5613B8DB7C805B3B25D9,SHA256=AA61C8D88C7FF05B7DD225FEAA240035E8F23F4CE6EC9918B7F8AB23DCE6E00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311250Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:06.719{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505B7B2FA8EC00369D5DCBA2381349D9,SHA256=DF295D0A2952F62A133D9E7A8EA78436396142A2FB5260813C5462BAB40E902E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121636Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:24.307{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000017311254Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:03.950{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60914-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311253Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:03.684{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60145-false10.0.1.12-8000- 23542300x800000000000000017311252Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:07.819{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80C4AAA9C69AC243CD25508DFFE07366,SHA256=5E7D03FA3F4F52922AB2ABF60867A9E474B720066C845A4326B8B1AE3E4772C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311251Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:07.735{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969B6D2AAC43555590D64C8E4C655AFE,SHA256=9F5B3FE819138ED27F926EA5C9A821AD2900DB70343018E81322FAF008142E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121638Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:07.635{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980F6EF3D97BA73AFF89D9F9C3E7CFA2,SHA256=00F79530B67905026C905958B29806A964BAFC8F200C97076EA2640F1AE9E569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121639Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:08.672{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F48A6705DEF4D2DF6866050453179B,SHA256=F0D8D10E0F66BAEB0C64E2CEE178C0D7BC74214365A91CE44EBC15FD26B0618E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311255Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:08.735{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CC9E4B1B61FC942D63F5012E133D78,SHA256=DCB427CE510074E10E5D615BBA371196C4CB7D01CC94CDE3659B2987EF6EF2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121641Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:09.818{068A336D-6C46-6192-1200-000000000F02}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1D0F8F6C5ED7A037881E45E377DE53BB,SHA256=E9D66AC17C610358FB9C8ABDBEF42A8132F7D6659F1578F202BA9104B2D1756A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121640Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:09.718{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A18000AA81B0CA70AC72708FD80ACE,SHA256=B9B282E9B3D1275A0D28097CDA3723642B8256E4B7348CA8BC1EACC9941C5BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311257Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:09.753{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AABF59A1CCEE56C35EDB1A6942B07EF,SHA256=D0132FFB8BCCFA7DA20B72CF7B7B97A1E0C5955ADA0966526E87BBF04520A1EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311256Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:09.005{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=961E13F6F896381CBB37E464F3F9408C,SHA256=6231DD96DC8A3F340A63750181717CC52BB1E71DA6F28091CCF7DBA884129893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311259Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:10.766{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4715A6524A4145668166BB805295F3,SHA256=8DE1CF06564A8326804DCF52D974068B27A9AEF7319A5932DD4127356168EDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121642Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:10.720{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AB00D04D8936FDE45242D80AA2468F,SHA256=A16A78BD582E3918020D87B17CD91CC80C1814B75F75720BAA47CB0DA9FEE21C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311258Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:05.287{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-60738-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311261Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:11.783{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A14FA01963CAEE70F45FF1C9AF2DD1,SHA256=A2E570B2C3F2F5B9FFEF3DF265647B8372BB1F45A1A1DCB2F4E3665A228FCD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121643Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:11.734{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B8269CCB7B937F3BB0B3F015A4C6CA,SHA256=ADE0D533824FB6ABA19423DF0B3FB19DCFFCA93DEFBF0EF54362537BF5D8F7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311260Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:11.003{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583141618F9E3B26217367C711773FAD,SHA256=2E201581CB9D6FF1AE2DC275FD863D8E906BCD4B956C0FDFF01AFCC38FDCACD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121645Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:12.752{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC88B628A156F7FFBEF1F4945B88AF7,SHA256=19D9D92F1CCEAE1D40657DA8741BD9C8D8A574DEA9041A28B5F101A6DB43B434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311263Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:12.802{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1532FFE6D97B82C2EE1FB8AAC1756089,SHA256=8D32DCE7A18A40EE81A2E84697E1C2A16F9C2549373CE964E4E8E412139D25C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311262Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:07.411{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-40098-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001121644Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.175{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017311267Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:13.817{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A6E5A7D8BE26CB5E4690C74764A5D8,SHA256=382BD7164F7D13EEAC5F10ADA5DC15D746CEA7086278BCD658E70D5974729964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121646Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:13.788{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F23698BFD5811F202EA139D74EA8EF,SHA256=B87CDCE8A4FD80C0DE7E27E826400DEAF969E62EF8C014D2F2E2DFF754396690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311266Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:13.749{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=772C28062554CAAF8319C9BA68D70538,SHA256=893864A3F0333707F489AD40E548801945D5CF21A1F26908252F6E56CD8DC817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311265Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:13.702{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FACC3BEC76C6422EC6B150948EBE6CC4,SHA256=DF36B7B7638576C31B7444820ED3C631026FF639318534DA172C782684939C9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311264Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:08.732{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60146-false10.0.1.12-8000- 23542300x800000000000000017311294Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.833{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEAE7A7D7EC52E2B3F8994FCDDC33FB,SHA256=03D3F02DE5EC72C1B91645BC1531F1765B9A1197AA007421829A7EF0343556F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121647Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:14.819{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104AB294AB16AB57797F33F33E0A27E1,SHA256=1B8653AEB6D3E6C954ECFD7B252E63BC27B38C2CC1B7A3B81E2D2C5E4328A291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311293Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.182{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311292Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.182{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311291Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.182{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311290Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311289Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311288Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311287Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311286Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311285Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311284Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311283Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311282Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311281Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311280Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311279Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311278Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311277Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.181{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311276Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311275Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311274Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311273Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311272Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311271Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311270Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311269Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311268Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.180{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311298Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:15.836{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C9C190B2146CE1FAA5C155B2A61689,SHA256=B98E04AEF6164AB43A54599B313ADC2E8AB51FF0419DBFCDE1AE9BCF2F643C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121649Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:15.834{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88578735A5A1F47DFEC6CC62A2641B15,SHA256=E523FB05CBC70B9B361DF1F738A918AB5E1A6358A563415506876EACF9D094C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311297Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:10.787{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-44640-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311296Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:10.494{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-47186-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311295Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:09.912{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.219-10605-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001121648Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:33.545{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-60732-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121650Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:16.870{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F5FE947E5BB19262FD38A6286599BE,SHA256=A6A1B6EB6D26753985ED5E874761F37EA75CBBC28B9F0A27E12F665F752FCF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311299Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:16.836{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212C45DA4B568A412B53EBA3A2E1BD9E,SHA256=FCF9C818446DAFEE9C0DD9DB43D80D2CDDDADF3E45FE106E59CE566A7D6513E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121652Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:17.885{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DCC9721B270D5AF0243224A2EC601D,SHA256=4721A8BFD07BF779A31482C86C406E31DBEDF1282F98FCE8BA4B025D93838A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311301Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:17.852{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84FB3CC02AAE330970EFFCA04D169C8,SHA256=7908064ED2AC3854A4DE0A77CC891EABCDDC54B65F019B7BF1A970BF278E2138,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121651Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:35.242{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017311300Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:17.237{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FB55B214CB396FA2B185A470549A51,SHA256=8C87D95EF7F4249A73F2C1238C7F5D24DCCD33D666CAFBE878FCBFB4A6DE18E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311304Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:18.867{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECFB3905090AC10C926EB5A9F4776B4,SHA256=9ED31A94132915CC66FC300483483008C5DBC504D183383AD21D7323465D644E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121654Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:18.885{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA32FBE6E00D3B8BDC96F6D27CDE8B0A,SHA256=02EE366B09DAEB275A1948DD88322358A9C20235AC6175EBC09666B6ABF401E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121653Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:36.648{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-39784-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311303Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:18.767{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=7F5C92229FAE3B5B990196B6C0AA13F5,SHA256=06FAB12E3E2B239B37CA5DD89E1892A201E18C4C5AE77344F75DA45D4D0B64A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311302Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:13.618{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53894-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001121656Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:19.885{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F935548A32B0C78F03B0C2A818E0C00,SHA256=36973918459CA2004038F6DF36C86C95B8040840BA835B71FCCABE12EECA7E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311306Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:19.868{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872A97E53A00DC938E932F3793CA3F8F,SHA256=E7685685A12B473F7870DD3FA70C2BB7021AF440B29CC6F6ABBC973DC0B2C18E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311305Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:14.619{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60147-false10.0.1.12-8000- 354300x80000000000000001121655Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:38.156{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-50038-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121658Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:20.933{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EDF5C11E254DF1BE28322F267960EF,SHA256=39EB4A92A61C790F9590B982DA05866CA88CEEE9380F17E8F9D45CD5009229EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311308Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:20.886{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDD39209AFD479C621587FEDEF73F24,SHA256=4EF311EB84AE450FE506965B3F1A301ADE3913100DF7AD352A127E15F87CC232,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121657Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:38.892{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-50250-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311307Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:20.289{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DCDBAAFFBED037541319E67245F870D,SHA256=05B75FD182B885FC5990D90017B0E766C087FF20D2AE3A0AF94707AD7CE64CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121660Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:21.985{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC264FE00DC41DB136D2629C10398D0,SHA256=7E7F939530089DF5DB2334A4679CBFBEDD6F8A68633CFA29283A1480182EEC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311311Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:21.908{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DD2D0ECE41A22FB6CB52ED05246BD1,SHA256=0C28DCD97866DAFDB617B2A39B378F0BA0EC3B5E446FC302D4985F577515F665,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121659Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:39.300{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-45230-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311310Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:21.790{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF19FB5B89F4340D1DA02EF73A58B0EF,SHA256=3F22AD840348370B06EF575614D87A91616E6C39C0D6DEAF97064BF2D6A8669E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311309Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:16.703{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60990-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311316Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:22.922{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C73815F17B2B92B26962B08EBACA1B,SHA256=E1B62172D5AF8E62F8CFCFBE79DF1A82A5AB8560095E742436308FCA9F9DDD0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311315Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:22.638{CBEA6AB7-6397-6196-187E-000000000E02}18567768C:\Windows\explorer.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8037A4EFD08)|UNKNOWN(FFFFB2CDE74A5B48)|UNKNOWN(FFFFB2CDE74A5CC7)|UNKNOWN(FFFFB2CDE74A0351)|UNKNOWN(FFFFB2CDE74A1D1A)|UNKNOWN(FFFFB2CDE749FFD6)|UNKNOWN(FFFFF8037A208103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000017311314Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:22.638{CBEA6AB7-6397-6196-187E-000000000E02}18567768C:\Windows\explorer.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8037A4EFD08)|UNKNOWN(FFFFB2CDE74A5B48)|UNKNOWN(FFFFB2CDE74A5CC7)|UNKNOWN(FFFFB2CDE74A0351)|UNKNOWN(FFFFB2CDE74A1D1A)|UNKNOWN(FFFFB2CDE749FFD6)|UNKNOWN(FFFFF8037A208103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311313Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:22.638{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF13c0c2e2.TMPMD5=F73D9CF608BCA5B177FC2D88CDEE67A1,SHA256=08D601DC82FD263D9DA78FAEEB42B109F6BAE1338BE9B538143592586E744332,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311312Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:17.975{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-36088-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311317Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:23.946{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CC2B405FB9D53FE036FDB04A79ECA4,SHA256=F0AD8940A667E77818DA46EEF4E1B8A9A96AA58BB8FE330F01BB2D8271070A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121664Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:41.902{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse136.25.184.139136-25-184-139.cab.webpass.net50749-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121663Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:41.798{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-56256-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121662Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:41.204{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121661Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:23.016{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1C3E53C3460C6C3D67B1F9D3298E12,SHA256=EB36456908F28DD205DD72E9B1B1752210CE9E430DD948F0263220F1103EB97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311319Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:24.961{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E64E3CF576948403EF11FF7584700D,SHA256=42612A2EE98721648E294889A69C178F82BC0CDA533C32B754F50771EC55CB33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311318Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:19.774{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60148-false10.0.1.12-8000- 23542300x80000000000000001121665Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:24.031{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD0A693FE04BE8B23F04107CE2A4473,SHA256=4876513BB9A535D7A7417255B3CA826DDF70F32D83D35363C219C033D65FD069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311320Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:25.961{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F841A3E28FA2E3FFA280A5A415C7327C,SHA256=FF4C886DBD92E8C8AE5A4DE094DEBF6A5074BC0030F6260D2543549DE5C1BE01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121679Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7889-6197-96A1-000000000F02}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121678Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121677Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121676Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121675Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121674Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121673Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121672Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121671Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121670Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121669Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6C45-6192-0500-000000000F02}4081012C:\Windows\system32\csrss.exe{068A336D-7889-6197-96A1-000000000F02}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121668Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.682{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7889-6197-96A1-000000000F02}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121667Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.668{068A336D-7889-6197-96A1-000000000F02}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121666Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:25.048{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB623410182E9A20B084E583B06FBA9,SHA256=37BCF430492CAEC6B6A0509E276ACDA176996EAE0E98D38BB6B099B2D1D146AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311322Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:26.976{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D13E8A8CB14EA24F993A0D33D259C65,SHA256=97DC822ACDDA2AD7360F1232C312FC9A50EB63D9ECE6FAF18729DA8D9E35818B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121707Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.913{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-788A-6197-98A1-000000000F02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121706Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121705Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121704Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121703Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121702Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121701Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121700Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121699Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121698Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121697Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-788A-6197-98A1-000000000F02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121696Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.897{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-788A-6197-98A1-000000000F02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121695Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.883{068A336D-788A-6197-98A1-000000000F02}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001121694Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.466{068A336D-788A-6197-97A1-000000000F02}6256416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121693Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-788A-6197-97A1-000000000F02}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121692Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121691Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121690Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121689Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121688Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121687Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121686Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121685Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121684Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121683Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6C45-6192-0500-000000000F02}4081012C:\Windows\system32\csrss.exe{068A336D-788A-6197-97A1-000000000F02}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121682Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.213{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-788A-6197-97A1-000000000F02}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121681Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.199{068A336D-788A-6197-97A1-000000000F02}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121680Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:26.066{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB509BFBD35FCA9F0382A6C4AFC5961,SHA256=2E6E06B14121CE43617E74D0A4AB126EF0FDE1DA78F9307990D8CC790E20768C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311321Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:26.885{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211115140924-5384MD5=B1D65678BAAFB9FBC346ADDC22B9EF13,SHA256=A60E4A1EB0B1846EE4D092EA74D659E3EDD5022A58AD08DA4DCF9E97FBF70157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121708Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:27.328{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F41C232ACA3BA8FF91C6AFE57C16BB9,SHA256=1E2E901D206297B909416042E033846692574E53B82A078EFDC2A7D8C45C9905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311323Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:27.877{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211115140922-5385MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121710Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:46.319{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121709Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:28.412{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=411182A36D96276B163A968996B5DA08,SHA256=CF1606681BDF6B5720E55F47A6855E992C434D63E314884D98927ADD2DD4CCC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311327Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:24.476{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-46150-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311326Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:28.075{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5396D5E26FD363F183FAB62EEED1E433,SHA256=EEFC08E17A6A0EC3ECD7FC1D8AE4E50BE27494E849CE06F5E4A71E5351E2CDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311325Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:28.075{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0385967FA6610662515F852A26E75CA5,SHA256=71B4984C663794058C38C896DA1DB3E071D8FC02C499FD6D9429613A329546AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311324Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:28.013{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5892F7D29DAA0E7D4FA45E52731A11A,SHA256=80B1062634F422E218C8CA656F397FB90D6026A459851D578DB5D40CA8E45E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121739Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.780{068A336D-788D-6197-9AA1-000000000F02}12044888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121738Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-788D-6197-9AA1-000000000F02}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121737Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121736Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121735Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121734Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121733Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121732Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121731Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121730Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121729Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121728Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-788D-6197-9AA1-000000000F02}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121727Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.612{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-788D-6197-9AA1-000000000F02}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121726Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.598{068A336D-788D-6197-9AA1-000000000F02}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121725Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.428{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A96BC21061F0A72369040FAD02C578,SHA256=678EED9AE77CF489FC0915E9A5FEF13477A3D5CB72696CE85540F3D3110558E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311329Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:25.663{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60149-false10.0.1.12-8000- 23542300x800000000000000017311328Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:29.027{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6170DF09B5A282CE4EFF3EFA3FF251BC,SHA256=A86A9DB4D4F8C114C95854FB21FD701E45E15EC480F212451A5FF84DF035D986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121724Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.250{068A336D-788C-6197-99A1-000000000F02}55526960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121723Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-788C-6197-99A1-000000000F02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121722Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121721Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121720Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121719Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121718Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121717Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121716Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121715Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121714Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121713Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-788C-6197-99A1-000000000F02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121712Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:29.012{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-788C-6197-99A1-000000000F02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121711Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:28.997{068A336D-788C-6197-99A1-000000000F02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121756Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.723{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F16B3AE4CDE2D4525AF5276AA2AC73,SHA256=A99ED91EA677FE37633C31B1557C76CBF88FA3F99058001FC9BEBFD08F2F68B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121755Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.524{068A336D-788E-6197-9BA1-000000000F02}58124196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001121754Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:49.304{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-44386-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121753Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:49.266{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-45828-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311330Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:30.042{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BF2168C53BB91BEAAAEF7FA26B8651,SHA256=6DD1D993554B2CED52D8E65D32838980913669CE4716500B2E807B349EFF4621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121752Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-788E-6197-9BA1-000000000F02}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121751Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121750Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121749Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121748Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121747Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121746Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121745Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121744Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121743Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121742Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-788E-6197-9BA1-000000000F02}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121741Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.311{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-788E-6197-9BA1-000000000F02}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121740Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.296{068A336D-788E-6197-9BA1-000000000F02}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001121771Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:49.896{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-47560-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121770Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.523{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9174CBD2AA62CD111C11D9A65CDC4B36,SHA256=7F60AD2E94B2DB40FDECF03CD48D705BF1AB07FA753287CF99103788CB7AC90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311331Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:31.056{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDFCE6C58DC9442448E243ED37396F3,SHA256=E6F4D4C5878EA31D5558287E8DB668461383EB27FE1C84DB4C5BDD5B2C57FB40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121769Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-788E-6197-9CA1-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121768Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121767Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121766Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121765Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121764Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121763Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121762Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121761Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121760Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121759Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6C45-6192-0500-000000000F02}4081012C:\Windows\system32\csrss.exe{068A336D-788E-6197-9CA1-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121758Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:31.008{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-788E-6197-9CA1-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121757Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:30.993{068A336D-788E-6197-9CA1-000000000F02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121772Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:32.593{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E42EE7742ECB0A597CC3ADAE9D92AB9,SHA256=C62754D20B57FE0738AFA9EE9908AE2CD2091A5D17321970B2D0AF34C99D2180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311332Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:32.071{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A353615C684B8667F6324DFFA96849BD,SHA256=66C7D00F4027FEFE957F49EC58B3BCA9DBAFA26BE585ED0045D86E15E36431A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121774Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:52.326{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121773Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:33.609{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E868D9E986163F8B4D8DCFE42E4C1E15,SHA256=27430047F1575D5418674C5A1E63B3277CAB04B9AB109AB5420B8A8A90346B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311333Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:33.107{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B82F5177362F4CD1AD9B60EB6A73B9,SHA256=A53851B49BBC597075A586CD1B8406EE969BB6F6766C9EB5FE11CCBA14F8BBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121775Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:34.624{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4351040EA61CFE17CBF123956B4C4C1F,SHA256=AC1BD7C428730CAE2537F19AB8F6575F69887CF9F0964B980916B58F1E691A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311334Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:34.113{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806FDDE6ABB1D0F530F734C227527657,SHA256=F529FA931CD5910A8FEC77239C1F87DB561119EE9E952CEAD749B703C3FE76FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121776Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:35.639{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1D23094D6BF4EF42C841FEAC2ADDF1,SHA256=97C43748117EAA52A0B4FDA790ECD2B70DE103E35184D815EA1ABC684E561570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311335Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:35.143{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B13641169487C8D5668AF317B5B51A4,SHA256=C75E67447AC5125E172AE32DBA3EC4FF001C04FEBAA02DE35307B044F1BB7AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121777Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:36.656{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607D1071064C0E7FB882DC25425C35F8,SHA256=1A47B301B673D0AF6D2B3C556672FEA9DA96D913B55484B624F8FBE38FDDF71F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311337Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:31.595{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60150-false10.0.1.12-8000- 23542300x800000000000000017311336Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:36.158{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BB037C87275C38DE3C03C41DC84231,SHA256=2F6CCE7E28BE362F9948C2B5BD11F77BE49098C7BDC51787C65FB84260A51D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121778Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:37.675{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E98FB0157F4EBD3CDC783CE0FF37F50,SHA256=3178F959315D5E1E971859EF181C0A56892600C402DD21181B362F34BF78B34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311338Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:37.172{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E4FEFBB9E665D7ED8CF02ECD6C8F70,SHA256=6F4C783BDFBB441F377370D0EE0373E8B2CB7A029DE3F480251C295351AC28EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121779Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:38.685{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A411625CD6A2D1DFAAAD3EE896875053,SHA256=00C856BFADA0264D9DA342BF57DB5B1C4ECE8CFD69ECF168BD9F62E2DF691728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311341Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:38.793{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20E6E597E17289BE154A26C2FD8ABDB2,SHA256=F6E96FD117F6027A732C5C1F9F122F4C9255AD89105394C042A63C94351C3DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311340Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:38.792{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5396D5E26FD363F183FAB62EEED1E433,SHA256=EEFC08E17A6A0EC3ECD7FC1D8AE4E50BE27494E849CE06F5E4A71E5351E2CDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311339Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:38.192{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5E5B39CBB6DAF30013187E489CFDA2,SHA256=A8CBEED3DC0489CA2012C77FE4C61680D652E7B86F7942FD56A21B206E8A7DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121781Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:39.700{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4EB853AAE6103ECD906D6A3EE7ACF0,SHA256=C9D2F4F0C1B35EC18B3A4067E68973FAA86CCE6C7C2C51C145F8F03841AE1E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311344Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:35.322{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60151-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000017311343Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:35.322{CBEA6AB7-6A11-6192-2700-000000000E02}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60151-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000017311342Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:39.208{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B3D5E069625D93DD98C462B88563AE,SHA256=5DDE9566F3FA112B4A0142B63BE73124DDB964B089454FE56F7A4D35BAA9F934,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121780Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:57.894{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse85.215.224.154ip85-215-224-154.pbiaas.com53052-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121783Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:40.716{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B5DB673E5C5B26EF03F4AF87767A7D,SHA256=9A3640D481116E628E88894807EB3BB9FF292C4A369F06DD0A15E670E700A801,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311346Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:36.622{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60152-false10.0.1.12-8000- 23542300x800000000000000017311345Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:40.209{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5D5A6EFBA231A79A4677DD35388F70,SHA256=69A1CB99D5C08FEE9678C9591D1D7596242BB39F022C57B3C7B36A650DDD3895,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121782Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:58.078{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121784Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:41.731{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD81D550FB46C99CBE9123230E3FD363,SHA256=AF7A8C8AC61D14A50366AF9D5547953B03EBAC1097F88D34349E9CD477A70B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311347Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:41.224{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F480F18E171D8CF4792DBEB1A5B7EF,SHA256=0FEA7FA0D0AED2FCE3C4DC7913DAC49CB027C7FFDCC32E1C9AAFA35DA645DF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121786Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:42.746{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933D22E29705D9006670A0F32092F3F7,SHA256=5D979F653B9540A93C0EE5DAA888493F6BA24C746D6CF8ECCD42A1C5EABAE40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311348Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:42.240{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C2CD782EAA78C770D9684A570FCF06,SHA256=8EA2B591388538A7F2473EB94FCC801BD44D67D182851AFFCC9AD7C35B87B6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121785Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:00.893{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-41148-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121787Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:43.763{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD22D39826E03272B65ACB9311B891CB,SHA256=89118B9494788ADAC543017854CF9482A9DF10B081364917D115FEF8F7AF25B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311357Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.490{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-789B-6197-EC9E-000000000E02}8464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311356Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.487{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311355Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.487{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311354Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.487{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311353Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.487{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-789B-6197-EC9E-000000000E02}8464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311352Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.486{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311351Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.471{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-789B-6197-EC9E-000000000E02}8464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311350Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.456{CBEA6AB7-789B-6197-EC9E-000000000E02}8464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311349Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:43.255{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9F491ABEA7BD5B2878F3132F59DAD8,SHA256=9A91935469CA06AEEAF51C12F959F5CB9DC22CA33DBA8B009B310F12D642DB40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121790Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:03.259{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.82.77.234scanner.openportstats.com33256-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121789Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:03.217{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121788Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:44.768{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60DDA5661B65ED8E9D8AFE058C917B2,SHA256=B12F840C56B30FCDEC5398C81F4EDA5C1BB07AE8A80D8B4FB271C374EE9430B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311376Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.855{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-789C-6197-EE9E-000000000E02}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311375Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.855{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-789C-6197-EE9E-000000000E02}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311374Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.855{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311373Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.855{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311372Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.855{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311371Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.855{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311370Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.855{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-789C-6197-EE9E-000000000E02}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311369Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.840{CBEA6AB7-789C-6197-EE9E-000000000E02}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311368Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.470{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36F9285DAAF1E4B88C515C2A423FADFE,SHA256=43875093219C7F02AEB4F338232C05268ED8FE04C9ADA5BFC4A5F9B85447B6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311367Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.470{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20E6E597E17289BE154A26C2FD8ABDB2,SHA256=F6E96FD117F6027A732C5C1F9F122F4C9255AD89105394C042A63C94351C3DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311366Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.270{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76D6DF5C2E66FBECC64AB23E220390A,SHA256=4ABD7066F7ACEDDA6DACE60EDACE93FA89B2A817AB597A649DE99B15F54C7FA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311365Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.170{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-789C-6197-ED9E-000000000E02}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311364Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.170{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311363Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.170{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311362Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.170{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311361Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.170{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311360Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.170{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-789C-6197-ED9E-000000000E02}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311359Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.170{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-789C-6197-ED9E-000000000E02}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311358Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:44.155{CBEA6AB7-789C-6197-ED9E-000000000E02}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001121792Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:03.984{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-43510-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121791Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:45.785{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC72BD697B4B60A0992007CD3781F1D,SHA256=D209473D63E5A74ABB9FDB8A3873B7A463BA61C00C887347476621D8A0F8E5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311388Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.839{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36F9285DAAF1E4B88C515C2A423FADFE,SHA256=43875093219C7F02AEB4F338232C05268ED8FE04C9ADA5BFC4A5F9B85447B6E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311387Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:41.736{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60153-false10.0.1.12-8000- 10341000x800000000000000017311386Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.456{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-789D-6197-EF9E-000000000E02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311385Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.456{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-789D-6197-EF9E-000000000E02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311384Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.456{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311383Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.456{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311382Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.456{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311381Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.456{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311380Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.456{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-789D-6197-EF9E-000000000E02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311379Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.441{CBEA6AB7-789D-6197-EF9E-000000000E02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311378Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.271{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69C8A84405B879386BFABC6208ADAEA,SHA256=8002F6AF88A2324A4DBD327A5189959332FA81D15A6CFF8BD1BCA39E06E51021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311377Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.213{CBEA6AB7-789C-6197-EE9E-000000000E02}43726720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121793Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:46.800{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3E3D61CB2993217EC7364801EB2F59,SHA256=DC9581B6A63B8E5F84DE4780FD6F61809C082354C96B3901E94BEFD12799A791,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311407Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.971{CBEA6AB7-789E-6197-F19E-000000000E02}10606116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311406Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.802{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-789E-6197-F19E-000000000E02}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311405Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.786{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311404Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.786{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311403Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.786{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311402Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.786{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311401Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.786{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-789E-6197-F19E-000000000E02}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311400Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.786{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-789E-6197-F19E-000000000E02}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311399Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.787{CBEA6AB7-789E-6197-F19E-000000000E02}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017311398Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.302{CBEA6AB7-789E-6197-F09E-000000000E02}81686500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311397Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.286{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA23D52EA609E2AD6506F332E66EC8E6,SHA256=8FDDD8A29008027BC9505695FB284D2CBE849B6B7349FAC8C70B7CEE0E3570AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311396Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.123{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-789E-6197-F09E-000000000E02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311395Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.123{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311394Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.123{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311393Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.123{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311392Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.123{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311391Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.123{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-789E-6197-F09E-000000000E02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311390Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.123{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-789E-6197-F09E-000000000E02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311389Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.118{CBEA6AB7-789E-6197-F09E-000000000E02}8168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121794Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:47.815{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EDBC0E7B1625F25C2F943CF7954989,SHA256=1469D4C9FD4C30123092B03C29AEDCB7BEA1483E4A9CC512E861E33942AB68C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311422Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.554{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311421Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.539{CBEA6AB7-789F-6197-F29E-000000000E02}43328304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311420Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.522{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=34F972FC4332C26790D44F8F3AAE0083,SHA256=E56482CC14DA71E098750D93DE1769C28398FC5B2C56CCABC7DE3812F0B3BB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311419Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.522{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=2D4E41AB00D8E6DDB35909B29C38C184,SHA256=890AD4C0117C7ED892FF35ECAD32FA45E382E047B8AAD768DB8A102D5CE8F51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311418Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.521{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=B10C7C9805C5CAE6D64690C5F3F97075,SHA256=D91506D07CB71420EA37F7E427A46D17199602ABD8B17972E735C826192B505D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311417Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.370{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-789F-6197-F29E-000000000E02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311416Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.370{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311415Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.370{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311414Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.370{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311413Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.370{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311412Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.354{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-789F-6197-F29E-000000000E02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311411Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.354{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-789F-6197-F29E-000000000E02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311410Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.356{CBEA6AB7-789F-6197-F29E-000000000E02}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311409Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.301{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57F2CABEBFF5AA3689063B98A9B1B7E,SHA256=157263D0EED7751E0CA3F3EF093553B1419D19C554C0068D7DADF41F0F68C83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311408Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:47.122{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E46D76456E89373B6AD490507F9295A,SHA256=A3E49F506885F63FEC5F8B8C545DF45CBBB1F154399FBD98657A5361B239040C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121795Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:48.816{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45B6D01C836791F3C39C6086B468304,SHA256=4D5E2F7A2CB76B487190BE1E176E18270B2C8F657B24A18A42CE97B55C78403E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311425Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:45.067{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60154-false10.0.1.12-8089- 23542300x800000000000000017311424Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:48.355{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6448F0960C7259AC6416097A3381FB5,SHA256=EFAD17FBF0F9C64C2758989D4AC1F99B8BBE57EF1A92F0085F4F2788CAA03878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311423Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:48.323{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561D72780C9BE926F5160761DDBD4F6E,SHA256=7C6338EA300AE9C7AACDE492013525D9802737B7C400534EB5772B5DA4CF7814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121796Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:49.831{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F36707B55DB986D9E7E025166249FC,SHA256=BCDD7A4BD9AF85D55E8CB2836B53B3734B41FD9D0973999BBBA848AC3E5B4E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311426Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:49.338{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3A86B4ECB59B7422D985426A6141A8,SHA256=73A51AF88D82903EB3E55BCC12C5EC90E5C33E05DD8B1EBFD160FE747FAD9C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121797Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:50.964{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531F7F0D7373A3881661CE3F6442F892,SHA256=BEB1F7F9E111B605EDC044D694E5A4DBDC905C1182A929391012F1F0CE54BA8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311428Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:46.788{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60155-false10.0.1.12-8000- 23542300x800000000000000017311427Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:50.363{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDFAA75C06B68A5FE676718BF34A239,SHA256=961FCC09B1E664D162F7E9FED1A8B1567E6F19B580E3F7B66CEEE088249D1301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121800Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:51.984{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250CFF90048FC1A80E0B9B3C458BF3F6,SHA256=AE234BE1D190CE3E121C2786943181CE46A9B8CB026C6C3E061B3463A5171653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311429Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:51.370{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5A707AC08B4D1BDDAE32D8129120CF,SHA256=124F059979907EE8E65D98FD1D3A825E30FAE416EA89C40F06993FACFE1400C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121799Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:08.334{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121798Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:08.259{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60102-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121802Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:52.985{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C46C5AA43E9E97FEDD7346DC02D2E3A,SHA256=35D2F8B462AA239FAC0434A218999D1A80B37CF94007392CB4DCF630F42339E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311430Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:52.370{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0486D8C647FB38A46EE868FE2FE1C445,SHA256=08F65DA4B2B64C86462D15CDCA26A742E7745C3E3E2F65201A5EA6ADBABE6D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121801Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:52.031{068A336D-6CBE-6192-9900-000000000F02}3876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121804Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:53.987{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5F5B6C38882E2E0DD1B49EC71858E0,SHA256=2F161146FC01223C0E64C95ABE2545D65E084847292AE080117F9829BC026F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311431Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:53.384{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0633BAF49F9BF78C101902299C6E385,SHA256=742FF72573EE527D4B388177EFE93DAE77D8C348C5D3D511B754956A08B0817A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121803Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:12.104{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000017311433Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:50.298{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.141.87.27-13623-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311432Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:54.399{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F399D4730EF506A91DA545FA050B863,SHA256=151DFD91FA0E851743D6EE2D299665AFEE4F650A643C4379A305FD1EEB453F68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121806Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:13.559{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.114-51523-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121805Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:12.609{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-41710-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311435Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:55.400{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8AA31B64EEF3DAB196BFB4E6F63AB9,SHA256=D6E15A5C1995D0E2435155C6BA769445E82C96262781363C0C28029AEA30285A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121808Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:14.292{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121807Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:55.150{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC353529956E366157A11301D38F21A3,SHA256=FD9C7EAC61E3AAC4BAF19D345C040DA9CAA5C25D15FBBD1774DC0C112FF51687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311434Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:55.200{CBEA6AB7-6A01-6192-1100-000000000E02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=556504A0F3B24866E1E6231C8104CBE6,SHA256=81481E2DC14593B52FCA69687A43C539EA94A2759C59C494E0B33B8129163C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311436Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:56.436{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181706465FAF74DE1B7B47A0ED97BFE7,SHA256=350B7358D8D735289CEBB09C001FBCB782D7869D978AD4E7B97FFF752B902063,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121810Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:15.470{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.144unn-212-102-35-144.cdn77.com61002-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121809Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:56.168{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE9DBDAF9A9A76350F7B94E855AA423,SHA256=61A9209C6AAFDBECDBABF14403CB54FBDABEE44E6D08D35550D84996CF5C5B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311438Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:57.451{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF6AECF3CAB818FD2C65E93CFE889C2,SHA256=B3B5FAC9D7E9F75536B99C81BA69A07A816486CCED2A0698318660BF08F337C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121811Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:57.186{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610676E5DA4854137EE88A97C89446B2,SHA256=65A6116D50A630E0C9A3F8B4C6617FD8F3089AF7157AB78D65AA25E5DE9AEA0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311437Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:52.788{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60156-false10.0.1.12-8000- 23542300x800000000000000017311439Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:58.465{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF2213888D428323A5B21CE989FA729,SHA256=89B54528735FA3A6FE1D2B065DF39FB64BE8B740C1012B02851ED44023525BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121814Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:58.734{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211115141851-5376MD5=7D5F4D75B6205BAE0B0CD245353355AE,SHA256=FF29CB026251AB2F621324A386EBB740C0EEF4A7746CD7FA9FAF12CBD8E709CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121813Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:58.201{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03888EFB9098BD540689465DC46FFA5B,SHA256=C670F23FA0A0C631BCF668974156CD5F76280F57B1D1BFF5DB011BA358CCBF85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121812Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:16.596{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-42794-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311440Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:59.480{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2282A017F134BA7A6E909D414FB030C4,SHA256=2075875DD606BBB392E7857E74476EDFD2F7A7DAC33650D01E236C52E761CB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121816Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:59.749{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211115141847-5377MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121815Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:12:59.217{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7021AB153678E22344D27192EB6263,SHA256=A06CA551CDE5E68E4B26677BC155573B8C67E2F67B752EAB3BDC2EA034097224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311441Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:00.495{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DED710485FA451A51E7312014A2EC9,SHA256=5D453E6DA283C5CC8AC4E70FB97CA70FCE5EDDA242A2705EF7EC4396E1CBE8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121819Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:00.231{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E90B570E64DBA69C2BDBB391E485E6A,SHA256=8C85EA23A163C1E2C4C604917D7C2A692AB1E4524B7E0F89D76E12FFE09E12D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121818Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:18.278{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-51050-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121817Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:17.909{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-52954-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311442Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:01.512{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE305C13BFDD200EE8982B44291E69A9,SHA256=9102813210682B022F6B6E013C030EF2865F94EEE1B013F58DD06E3367C5E4A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121820Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:01.234{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7450043AF315383BE8C5A5F58F1C2E40,SHA256=FC5E33C190A487BEAB867ED5184CBEF826388D0DF21DBA8A2E4612C345C1CFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311444Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:02.533{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50302ED0D9A1AD1DC2D70FBCB7FEDEC5,SHA256=239EA212BFE25A608EC8DAEDE91F0D36DF1D603F35F34BCA97E060242733D32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121822Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:02.249{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABE36E94023B1C5DE5227050E9D141A,SHA256=42416D376996A4EE06780D10E812E2EBE7F48D927E8406A6AC1FE02FCD9CDB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311443Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:02.179{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=7B1F4FC670F956840400B573E81FDC1C,SHA256=222AB43FF1081D9135826F2F3A5AAE6F81D4CF960926158BB75457F44E15FECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121821Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:20.240{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000017311448Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:12:58.598{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60157-false10.0.1.12-8000- 23542300x800000000000000017311447Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:03.950{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5388C5852B1022E960EDD48FB56854,SHA256=860258F6E5FAC8C166DDA39FA5C8F52D1A4CB3947F71FC300F1EE3A1146CD884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311446Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:03.950{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50F00B4738604964E822CE0C65265A52,SHA256=218B0BC0D92ACB0AF531DE61960537E95778EC7DCEDD9F739B7A67A939F786A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311445Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:03.535{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B50EC6779176549A806D34778FFA477,SHA256=CD5FBAFE7F299B962267A90A753DD9653C77AF2595CD23E8879627CF7344A0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121823Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:03.268{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD5F6531C5DCD96E54C1863421F7CAE,SHA256=26D27885C54E70A4B2F0DF93F2F9A3325DD252150A986892158EE21EFE3B399E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311449Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:04.550{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068ED4503589CECC730EB16189991089,SHA256=5606E777DA204418274B235B0355912E75B5E704FE0B43ECFDCC77C0925DF1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121824Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:04.286{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B41DE3FC20605ACE80BAD6F996B53C,SHA256=99F227601B253786A511CEBD31710FDAAA6420EFCBE5C708E72B482FBF9AC732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311451Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:05.564{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BCE566712C0AB166AF47B17832DD81,SHA256=5E049D8E90C34F808F28B95D4E1146758EEABAE64CF1C281E60F80797C3E5BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121825Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:05.348{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D900328C414FB05A7E50BC211D7B25FC,SHA256=78335B9DC1ADFC2960D127720B0BA415D63611C9CDD5470268FE85F6CE87D2ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311450Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:00.359{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-44110-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311453Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:06.749{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5388C5852B1022E960EDD48FB56854,SHA256=860258F6E5FAC8C166DDA39FA5C8F52D1A4CB3947F71FC300F1EE3A1146CD884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311452Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:06.580{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A76F392B2ABD80F66B7EB28C70F151,SHA256=6DD5C19A7317912ACF05EA6A79B69B15BDA6E67C6404C10978E5A676B0D6C1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121826Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:06.368{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F320CCC339581DF2393A4E80B346E4,SHA256=896BF216F29614BEC70034402C6A31F0374DC1A78D7AB27D500BDF44BE820F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311455Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:07.595{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAED3A0B92B18EBF4568CB7BB617CCE7,SHA256=73E722B4897C90FB602EA50F0AAD7C36C8EB582B6F3870A0462D2BD161F6E280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121828Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:07.466{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE3F7C964CF0395F4B51CF33FF567E2,SHA256=03D13ACE54C99CB9B6EDB9A740FFC025E0F7D9A2EA5DFA575A9BA46B26BFDDEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311454Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:03.155{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-50390-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x80000000000000001121827Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.306{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017311457Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:08.613{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648AB209771AA3A3476F30B5436BF11B,SHA256=D2303BE01193A3190D8D520955EBE716CB1E874F610A30EBA39EB837BF808518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121829Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:08.499{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A60844FACE436B4ED1E3F610A62FF40,SHA256=E2A5CBE4B8C24C56D51594861871F86E390BCC966BA782297D62F8CE3037C44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311456Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:08.595{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F49238150169212B27ADF90B757DADE,SHA256=D1A69725260B8DFAA985EC987633091BCCAF8DB4804470DD7F0FBE4796B20E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311461Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:09.894{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=281C325502F97DA24B54E84D92DC48D9,SHA256=C712F04BCE49F1F63FD49D7DD7DAC306796581C56B03EB22F62ECCFF812B6369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311460Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:09.631{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039E6CFDC207A20B347C0153BC5C46EC,SHA256=98635D1D3FC2CB35BC6397BCCD6FF907C8B74CDB2047536D8FBB2690B8491D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121831Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:09.814{068A336D-6C46-6192-1200-000000000F02}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9399C630C683D4D637C90632774239DB,SHA256=39224E5C71AA34DCBFDA234117B5F3995B117328F5DCD83AC3F33D9A68DF9253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121830Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:09.514{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D23C2E566CDEBEB5A13C26A9F20C5D,SHA256=243A4D7A0B895415233A3F4895A1F9806C9AB9B0E812D6D1C8BC8DA857562AB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311459Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:04.588{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.93-54246-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311458Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:04.583{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60158-false10.0.1.12-8000- 23542300x800000000000000017311464Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:10.911{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EF228E7AC7D0901AAA0E8721ED5483D,SHA256=88063816A7026683E82A200C0CDFEC0A66C32F0B70D16EDB8475E712B6662473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311463Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:10.646{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DDE6FA06C3D407934E762434536442,SHA256=448EFCE30731F89D75D3B8F390E602678296184A959A7FD133D5679FE3CA762C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121832Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:10.530{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95208362A8D57CCBF76D6C1CF1457F1D,SHA256=C0D6A14D93A2A7118F60140D95411F4243ABE48DFB8F9EADDB56026CBD4DB7E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311462Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:06.087{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-52138-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001121833Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:11.544{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08AC464E0CEBD44B66607E28BD12D6C,SHA256=328E16C879FED46B4A510E28008619964D1C414CD7D231919347397A4928FC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311467Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:11.646{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEC8715CDF602855C8C32330ABABA7E,SHA256=88F20AEB9AD390CAEC20F57B8E6A37E31840B03A6DA04F40C159CCAFF8BC0E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311466Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:07.314{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-60370-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311465Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:06.578{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-57440-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x80000000000000001121835Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:12.728{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370106072FEB3A8736D881B714F25F5E,SHA256=E7E854346102C2C3EB22AC80389AC312F0655A44BA7A1FDE1FCCF1618E8363F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311468Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:12.661{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17700E9569CBD3F24945C8CBC3AD27C8,SHA256=1368CF97F8A5F8DD69ABDF60A5F0D2DDDBDAAFB1B0119F9C9F0BC9EFF42EEDF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121834Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.103{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017311469Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:13.675{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A1DD1A79CA39814C3DA46F499E27A1,SHA256=650816DC8DB41C16EBB0444BDF9B004256DDE3EB3C47A9117C061370BD46BD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121838Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:13.762{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302509FFECF0CA9016BDC03980BCABC1,SHA256=56F21196C7FB1898F6C6F58B5AF02F2EA29C4AA9400E9F6455FB6B52B1552186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121837Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:32.357{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54379-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x80000000000000001121836Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:32.105{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-48794-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121839Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:14.795{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E75E658E1B1C4E05D4FAC368A9F619,SHA256=FC59B09F488BD0AC8C3EF2A4706C99ED1C13335632DD00C28335FC026EE824E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311472Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:14.677{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205316DE105C100CE4633E9E15297812,SHA256=BB77551BB779320F80AD1B84E40E9E6F065C87E9CE506BD1D8ABD2172D24179A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311471Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:09.833{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54379-false10.0.1.14win-dc-970.attackrange.local49676- 354300x800000000000000017311470Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:09.712{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60159-false10.0.1.12-8000- 23542300x80000000000000001121840Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:15.811{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706A1CE1600D8B9B594251C9FE7B64B2,SHA256=6AD7B6562FD59781245F2BB700D84F5A519E8BCA51450C317B82611CD5C0FF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311475Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:15.692{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D85762B7AED3E68D443CE2402B2E863,SHA256=DD62AA15BDE63779636BF9589E8A3073701634C99653A108D568C50623B4D9FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311474Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:11.317{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-35204-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311473Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:15.245{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36E666771642C12BCAE8BEE44A1F8BE1,SHA256=6707EBA315C9E18F5FB5975135C7D81FDD89D735D90C1A97586FC95DC4F2A64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121841Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:16.879{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CEEFF70610A4E754368F760BBA790E,SHA256=0B807C9D317E791EB1629B9738A0D1441E8E32C1FF0FBF5F79E88B45B164A605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311476Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:16.692{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776C5AC02D8AE4CBEEBF6FFF9EDB92F6,SHA256=3B807F15CC9AD7F87F29CE861A7ED2D3EFB4F61C506FD9B6671D5A63F09EC839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121843Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:17.978{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832A18482455223163E2FD7465B93213,SHA256=B9E0679BE5CD93CDB0C261D5B873C6716111A9C8DE0E120B2A1E5D47E95C7FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311478Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:17.711{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72861677723C6793280D31E468DA197B,SHA256=76BEE59F0509FD8AD05A539D17D660164CF1DC8AA88E32CA7D53F5EBC8B1585E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121842Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:36.200{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017311477Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:17.430{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A705B8961C0D940D6787B1B1B0B444BC,SHA256=6897300E914D1EF4E32F95A592D1EBB05239228919080387E1915F10E55AABE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311480Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:18.728{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8995E6A5F2F61E09462717098DE4D863,SHA256=7C803FC3973778CF179CC442D1B3A4C71723B5379C6A3FD0D789C681742F7E21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121844Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:36.803{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34654-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000017311479Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:13.734{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-46156-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311481Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:19.743{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917F78BE62BAADAF84449EB75EBFCBDD,SHA256=36E4AC8AC69162F2477CC5F5F172E5729ECF34510A61489E48472F4E703FBE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121845Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:19.109{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3891786AE607D9D988D05265BFCFE0,SHA256=BDE8A98128ECAC0BEE30E0CA4EC022E46EAAB81DBD97C66CBAFA23A604B0B9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311483Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:20.758{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDC2C67C0D31F7EB8E9C2E65F26F79A,SHA256=87D9F79E19AED6644046E6426F36374DEDC08F28C251A772C0E752E2407F578B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121847Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:38.762{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43076-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121846Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:20.159{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03F571B604DBE6418B631392BE423AD,SHA256=3D90E7CDC0523E8070ABED82E6E44F6B789C6630A937E5C9EC9F2F01A1764C31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311482Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:15.595{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60160-false10.0.1.12-8000- 23542300x800000000000000017311488Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.773{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD128795F6078F3438A3744462E36E0,SHA256=CE47DDA2DEEFFEEAC77B87071609C73457FC7D04D850DEF1FD7432002EA8CA4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121849Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:40.251{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-38558-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121848Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:21.324{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF5184E80427CDDFB5485A743468F0B,SHA256=16AB02A077EB8B87AED3F77EAFC9278C4BECA8D219B20BECEFA3DDDF46DDD9CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311487Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:17.788{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-54130-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311486Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:17.627{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53648-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311485Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:17.536{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.144unn-212-102-35-144.cdn77.com64641-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311484Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.309{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=175BD6E50E38D420F53417D0FBCD58E1,SHA256=B949358056287060ADE5BA991AC034631E1F71F5CCB3DF0ECACB66A454AA2272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311491Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:22.789{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2462F3A3F00E8222A99557A39FDD532A,SHA256=D4CDEEB899F0F8507B9F5D5AF813C1E729F8099D752EF48032C61189F7D26DB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121875Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.640{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121874Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.640{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121873Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.624{068A336D-6C45-6192-0B00-000000000F02}6241088C:\Windows\system32\lsass.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121872Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.608{068A336D-6C46-6192-1600-000000000F02}12203700C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9EA1-000000000F02}776C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121871Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.593{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9EA1-000000000F02}776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121870Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.561{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-78C2-6197-9EA1-000000000F02}776C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121869Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.561{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9EA1-000000000F02}776C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121868Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.540{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121867Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.540{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121866Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.540{068A336D-6C45-6192-0B00-000000000F02}6241088C:\Windows\system32\lsass.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121865Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.509{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121864Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.509{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121863Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.509{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121862Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.509{068A336D-6C45-6192-0B00-000000000F02}6241088C:\Windows\system32\lsass.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121861Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.509{068A336D-6C45-6192-0B00-000000000F02}6241088C:\Windows\system32\lsass.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121860Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.493{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121859Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.493{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121858Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.493{068A336D-6C45-6192-0B00-000000000F02}6241088C:\Windows\system32\lsass.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121857Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.440{068A336D-6C46-6192-1600-000000000F02}12205568C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121856Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.424{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121855Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.408{068A336D-6C45-6192-0500-000000000F02}4081012C:\Windows\system32\csrss.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121854Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.408{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C2-6197-9DA1-000000000F02}5312C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121853Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.393{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121852Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.393{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C45-6192-0B00-000000000F02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121851Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.393{068A336D-6C45-6192-0B00-000000000F02}6241088C:\Windows\system32\lsass.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121850Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:22.358{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C97E9A3A0129638F5DAE86EB72141C5,SHA256=7CF4034A17C641092BFA64893141D4B1D4EA893D98ACDAC51A17AB11E1AAC166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311490Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:22.642{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\aborted-session-pingMD5=CDAC7AC26318445558476E7E59EC101D,SHA256=B29FC3604D742318217E1FD0EEA5320E0329B54A7CD83190C93ACE1D471445EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311489Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:18.470{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-56918-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311494Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:23.806{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD82C8893BE56FBF54C3E2512D4E1D46,SHA256=1E9887FE62C9032211C6A8F42B0DA535D65A284ED484E7F4EEFDCA0F74005905,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121877Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:41.557{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-45206-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121876Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:23.739{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6239487F572529E6B8B0AD56D496BE28,SHA256=0FF4159A68BFEBAD624F93CC82462F5AE9F301ED72608893CE5F5B829098A703,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311493Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:19.402{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-52782-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311492Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:23.057{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B111A3DD63C61C67161C53DCFFEDE16,SHA256=38AEE96E44D8FAB080AB6C2FA7E4FC8CEF56D4AB80615030B60A62F6CAE854B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121883Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:24.810{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37B8488F8CD233E84FF3210984FA599,SHA256=943A2E28630EDEAAFB9CE7CBB9F4B2ABC46BB6C894A3859149CCA980A916C617,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311499Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.527{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60161-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017311498Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.527{CBEA6AB7-6A01-6192-1600-000000000E02}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60161-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 23542300x800000000000000017311497Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:24.974{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F68F28F028098F08D69D7461F0E56BD2,SHA256=89EDD7CBD587B89BA18DCA07223D2D6EB8669ADDA351C78664C9B0781A4B7EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311496Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:24.827{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A327034DAC63C5301B434B3E9CB623D5,SHA256=3BE69AC2918E743FDCCB2D52DB483ECA389BBE7EB7B61F82BAFE3E1473BDA4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311495Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:24.072{CBEA6AB7-69FF-6192-0B00-000000000E02}6244484C:\Windows\system32\lsass.exe{CBEA6AB7-69FD-6192-0100-000000000E02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x80000000000000001121882Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:42.230{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001121881Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:24.613{068A336D-6C46-6192-1600-000000000F02}12204836C:\Windows\system32\svchost.exe{068A336D-78C4-6197-9FA1-000000000F02}3220C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121880Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:24.594{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C4-6197-9FA1-000000000F02}3220C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121879Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:24.578{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-78C4-6197-9FA1-000000000F02}3220C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121878Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:24.546{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-78C4-6197-9FA1-000000000F02}3220C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121898Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.894{068A336D-78C5-6197-A0A1-000000000F02}39882476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121897Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.810{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E6ABED7343CC2988055316B91CA3DA,SHA256=75631E5837DFE06011A99BFE799236376EF1482BD59800524C458FB3CD084072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311505Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:25.842{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FFA693D72789005DE9390C08B6F3CD,SHA256=78A8593D95A0257C0863BE2F99415FD0C4DEB982A51CEA7E1ED574B2442ED375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121896Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-78C5-6197-A0A1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121895Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121894Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121893Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121892Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121891Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121890Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121889Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121888Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121887Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121886Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-78C5-6197-A0A1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121885Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.694{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-78C5-6197-A0A1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121884Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:25.680{068A336D-78C5-6197-A0A1-000000000F02}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017311504Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.626{CBEA6AB7-69FD-6192-0100-000000000E02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60164-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x800000000000000017311503Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.626{CBEA6AB7-69FD-6192-0100-000000000E02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60164-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x800000000000000017311502Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.607{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60163-false10.0.1.12-8000- 354300x800000000000000017311501Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.547{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-970.attackrange.local60162-false10.0.1.14win-dc-970.attackrange.local389ldap 354300x800000000000000017311500Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:21.547{CBEA6AB7-6A01-6192-1600-000000000E02}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60162-false10.0.1.14win-dc-970.attackrange.local389ldap 23542300x80000000000000001121912Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.825{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4235B7DCC729FDE13BD83EDAA81D7E,SHA256=B0DA6137E83EC589AA786F5F21D76576CA6CA1A5D3453FB7590809683580D911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311508Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:26.843{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A7EA9713C8E9BFEAC494D2AF88841C,SHA256=D8A0877A91BF6A9C316DB6CDD8B4553AFBB8E585BF91F687B2EDCBB3EDFBE768,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121911Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-78C6-6197-A1A1-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121910Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121909Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121908Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121907Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121906Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121905Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121904Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121903Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121902Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121901Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-78C6-6197-A1A1-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121900Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.394{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-78C6-6197-A1A1-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121899Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:26.379{068A336D-78C6-6197-A1A1-000000000F02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311507Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:26.627{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=231066CC5606A4A691DAC94C5AA207D5,SHA256=7501591280365F523B898773378C1C871D8D98A4B0D7ABE7AF966429619E7A17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311506Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:22.664{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-37784-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311510Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:27.858{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8E6D6B13948913FA54EC54773A8255,SHA256=F71F9C380999E31D7AEFF2DEA61188E6C5063C4C10A042315D73211033DBF550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121927Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.877{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E75ED3742C26970609A43C1E84F513,SHA256=00D19F945522F60248FDFC789C7C48DF450E6CBBD8A4E10F2CC700E97EC81F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121926Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:46.671{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-52552-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121925Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-78C7-6197-A2A1-000000000F02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121924Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121923Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121922Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-78C7-6197-A2A1-000000000F02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121921Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121920Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121919Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121918Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121917Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121916Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121915Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121914Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.078{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-78C7-6197-A2A1-000000000F02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121913Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:27.057{068A336D-78C7-6197-A2A1-000000000F02}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311509Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:27.709{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D6B29659A1DC1101F43AF590DA09EC,SHA256=7D597DC91825883A523F7863747E70BC193203DCB24344A37C48FEDC5DA2B551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311513Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:28.889{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342F79C54E07F6E9E760B011A1352AAF,SHA256=8E36E0DC4B98B74B39C00F38A68B0695FDE61B60E75CBF6858F015F262924612,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121941Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121940Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121939Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121938Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121937Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121936Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121935Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121934Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121933Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121932Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-78C8-6197-A3A1-000000000F02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121931Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-78C8-6197-A3A1-000000000F02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121930Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.978{068A336D-78C8-6197-A3A1-000000000F02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121929Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.908{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B08494D9729C1D3C36A180220CE239,SHA256=09A5800115D783E51A340478335C1BEACF0D7297699D0C59103180CB5C9AE21B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311512Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:24.114{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34702-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311511Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:28.408{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211115140924-5385MD5=B1D65678BAAFB9FBC346ADDC22B9EF13,SHA256=A60E4A1EB0B1846EE4D092EA74D659E3EDD5022A58AD08DA4DCF9E97FBF70157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121928Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:47.331{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017311517Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:29.932{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4CE4E872633B7210FBD87C4F6C8249,SHA256=C0134E894ACA15BFC8C9C30D06403F39C52A194A80D9D64F6B947D7A18ADB8A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121982Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.908{068A336D-78C9-6197-A4A1-000000000F02}37242972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121981Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.677{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-78C9-6197-A4A1-000000000F02}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121980Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121979Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121978Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121977Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121976Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121975Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017311516Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:24.959{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43204-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311515Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:29.436{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1DE4BAAC4745AC9CF879D36CB5C6105,SHA256=65485919DC8DA0EED275CF788FEB8179A0B30F18E1C09EFB06ACC7D80AC48F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311514Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:29.409{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211115140922-5386MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121974Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121973Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121972Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-78C9-6197-A4A1-000000000F02}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121971Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121970Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.661{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-78C9-6197-A4A1-000000000F02}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121969Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.660{068A336D-78C9-6197-A4A1-000000000F02}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001121968Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121967Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121966Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121965Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121964Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121963Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121962Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121961Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121960Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121959Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121958Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121957Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121956Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121955Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.457{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121954Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121953Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121952Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121951Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121950Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121949Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121948Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121947Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121946Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121945Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121944Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.456{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121943Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:29.250{068A336D-78C8-6197-A3A1-000000000F02}42005868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121942Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:28.992{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-78C8-6197-A3A1-000000000F02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311519Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:30.962{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D4684D29C403C967B363D321522EE9,SHA256=371D9CA73D7D6583FEEBD59EFC3E11A3D51EF9263DEE73C8E78F32059ACE4C71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121997Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-78CA-6197-A5A1-000000000F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121996Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121995Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121994Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121993Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121992Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121991Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121990Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121989Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121988Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121987Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-78CA-6197-A5A1-000000000F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121986Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.379{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-78CA-6197-A5A1-000000000F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121985Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.356{068A336D-78CA-6197-A5A1-000000000F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121984Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.160{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730D6BB88F02FEA6CAABB4A46B7CD78F,SHA256=276133463BABC9982641B8CC0DFE53827396B9050CD5DCEBFE806763969597EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121983Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:30.139{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761FCDC6B12778EF5F04B5A255D27170,SHA256=358A5B1BFEE31DA3666CECAD0655B62C6B039D43F322D79782B24CEA14A965E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311518Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:25.839{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-43406-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311521Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:31.977{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D34FCEC7366A07F403014CECE70AAAC,SHA256=08B6CCEB572CE61086F35C46570EE39071FEB94BD1862BFC787AEBC4296823FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122012Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.296{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A942C5D637B98D472BE9CE4BD7C07BF2,SHA256=C4218684B8BCC0B365434F4DED34BA3261FC4D59E78691AEB29245242A97EB71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001122011Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.265{068A336D-78CB-6197-A6A1-000000000F02}50923016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017311520Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:27.612{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60165-false10.0.1.12-8000- 10341000x80000000000000001122010Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.061{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-78CB-6197-A6A1-000000000F02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122009Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.060{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122008Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.059{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122007Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.059{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122006Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.059{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122005Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.059{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122004Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.059{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122003Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.059{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122002Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.059{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122001Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.058{068A336D-6C46-6192-0C00-000000000F02}7241084C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122000Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.058{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-78CB-6197-A6A1-000000000F02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121999Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.058{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-78CB-6197-A6A1-000000000F02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121998Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:31.042{068A336D-78CB-6197-A6A1-000000000F02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311522Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:32.992{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32FB05F22B20C64B32F3A6DD25D69753,SHA256=AC116DB5855C098896D0ECF82811D3D432AEE03A7BA416F80AD80B3690763B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122014Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:51.770{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.80-49190-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122013Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:32.295{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1063418E8B4CBAB69658F1010BE09D40,SHA256=01630756BB27469746C17A3D988B9C953FEB9EAB5F42E21F81F3A0FC05AC4641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122015Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:33.310{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2064A9A1D4A65092293227A0E792B5,SHA256=A195295A9CD8D99143DA4561B4F72559A3920CA0B2933ABB0714FDAABD115601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122016Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:34.359{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778B58BB3A47A75F8C6E6EC89AFD1CBF,SHA256=3C63319F9EB48DEE9B4B772A15CCFC6ECFCB958AD94FD0FE15DC32CF47FE4976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311523Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:34.009{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C76026955803CE717B7EAE593A93921,SHA256=B02009415561BBD92685D3F5544C0E1A8ED077B6E55CAFAEE550C8486A98FFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122018Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:35.377{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2189265AB1E6AB4659D4A2E48CD685DA,SHA256=2291EE4C396BEFC52A3CA3E17AFAFD2CB07CD02A2BA1AE813AFE75BB3530EE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311526Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:35.832{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3116443EA4B404957CA985D6A8AF568,SHA256=7BF001B9A8CF117CD6D27EB27044CC8613252D36AC3B15172AA79C7791BA0780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311525Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:35.832{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDB62ADAA4B9AF0E04C38A763A5F6AB4,SHA256=CC66C57D744502A9B507E00AF1A7AB587943D91203D3B86CE19525C2FCADDA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311524Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:35.012{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69AD12D72B9144558710ED101954851,SHA256=A9008428F0B2A0782309E330D2EDDBF8DBB0E33C003275556AF67E1E0B9F9C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122017Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:53.286{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001122019Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:36.392{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EBB93497D4973B65B412AFAF15D27F,SHA256=59823C87DA019A9591E293CFC22203A71E1481D79D5E8E357E92B2D876A6122C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311528Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:32.294{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-52616-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311527Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:36.032{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7197B14A09E51B6CD6D2D31E756A6E82,SHA256=1D93A3AED8DF63FE7ADB0C1EC6AF6291E52752405E1DD7FC9BA6A18CFB64BB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122021Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:37.438{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BA9DAA5464996904019CE2FFE866CE,SHA256=CF8D73571004C14A25E0E267944DACA5E6F2D10231A846CE3D437F72E5C6BB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311529Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:37.047{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107B80AEA2ADD650F9C58BC7339D7CE5,SHA256=280B3348E57B5A3E958A53ED098B732024DFCA180EE8CF863F7C81F3C37BABAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122020Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:55.178{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-46862-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122022Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:38.637{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB50F6858AC4EFFB8EC3B83BDBAD385,SHA256=4EC6D47D9AA9649B5B027942BB153583B42B4E44C3335822C1B3AB93C1E5C816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311532Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:38.793{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3116443EA4B404957CA985D6A8AF568,SHA256=7BF001B9A8CF117CD6D27EB27044CC8613252D36AC3B15172AA79C7791BA0780,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311531Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:33.613{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60166-false10.0.1.12-8000- 23542300x800000000000000017311530Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:38.062{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0C2DB6FBF43484D0933464F8BD1CBC,SHA256=2FFAE01AA805683A42BD15EB042CEAB921F3AF055787211ABA4740E6C8BE18AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122024Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:58.307{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-53454-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122023Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:39.757{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D12AEA675544BB72655719498FC3A9,SHA256=D96C537C9EBFD07045AECAD2664AC25B1BF4BCB322B407AE2446A324B6B1FAD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311535Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:35.328{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60167-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000017311534Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:35.328{CBEA6AB7-6A11-6192-2700-000000000E02}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60167-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000017311533Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:39.077{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654A9C843B8E8897790869BA8FAF3196,SHA256=CCFA9121A79A03C6E7A643B9E6EBE94363F5BB1B90C22A599683F284C2048B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122025Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:40.790{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4952B9B5291086F919CED6AEA49CF8,SHA256=BC2DC313DB8F022F107343A362ED82B2256E2C4180E53A135CBC983B30A74358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311536Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:40.111{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7EE50CADEEDC6E524952F7172656D1,SHA256=8DC2E78BAAC552E1DBFA38B0BDF19E539CEB7A0F1ED786C9D0ADA27297AF35CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122027Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:41.821{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB7187521A04C2FE25C4393F9D95F85,SHA256=761A04D4538832B019704F20C894BC12FBC98E044C5F56B64EE08536D450D4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311537Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:41.144{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2201594B748C26106AB4621197B3AA31,SHA256=EA645E4B884F683E8202BD4AFBFD07483DC913BBD20CF36A430D63FB8BE5BB6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122026Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:59.213{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001122028Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:42.873{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E5191AEE2EFE4D0313F62B78B4A3AF,SHA256=495663179621E7CB043BC18286E6A97D03B85109213CDD2BC5A09DA75B23A5F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311539Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:38.679{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60168-false10.0.1.12-8000- 23542300x800000000000000017311538Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:42.209{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BFA4F6BFB883E1284649AE369CD9D9,SHA256=10D23CB6DE83009680D57E0DD731CD941711F5F0A3CDE5193CE949E989156DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122029Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:43.904{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA4C4B113DC3B5F836F0A79E1E55AAD,SHA256=182886B79E574802DF922E681AEF09683A9C256C64EF8344C11E06A2596CE759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311548Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.491{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-78D7-6197-F39E-000000000E02}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311547Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.491{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311546Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.491{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311545Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.491{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311544Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.491{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311543Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.491{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-78D7-6197-F39E-000000000E02}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311542Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.491{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-78D7-6197-F39E-000000000E02}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311541Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.476{CBEA6AB7-78D7-6197-F39E-000000000E02}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311540Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.229{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31A682AF4B2EBAC23896122CEB07537,SHA256=4CEFE06E988FD8B4E893B7A804A8FB718EC96048DFF97E289ACB09CD3FB32801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122030Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:44.935{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BA0C36CBE7FB54C51475DFD5030963,SHA256=31CE66870B487C19E4C84C89A1FC23D53EF5454D3CC83F671757B073F8BCAA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311569Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.911{CBEA6AB7-78D8-6197-F59E-000000000E02}69286236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311568Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.711{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-78D8-6197-F59E-000000000E02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311567Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.711{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311566Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.711{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311565Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.711{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311564Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.711{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-78D8-6197-F59E-000000000E02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311563Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.711{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311562Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.711{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-78D8-6197-F59E-000000000E02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311561Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.708{CBEA6AB7-78D8-6197-F59E-000000000E02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311560Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.490{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=073C1BB86A433D770647AE7907D5BE55,SHA256=804741CC16C555407EB801DA6A68484BEA24BF2FD8D0F57755CC52A3DEE3E16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311559Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.490{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA250552D4D7D22E66F54827532D97C,SHA256=8F4A444F102B98B7E1477EFD3DEC1893EA4950BE9CF92BCD26828F439B2F0E4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311558Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.374{CBEA6AB7-78D8-6197-F49E-000000000E02}73927408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311557Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.243{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2593960DC03D7DD8E3BB87A46F0C0952,SHA256=9C2A3101F16AFEA1991F1684C13AF1B17B164A5FB2EB4935E2467B3FE6426CA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311556Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.174{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-78D8-6197-F49E-000000000E02}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311555Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.174{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311554Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.174{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311553Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.174{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311552Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.174{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-78D8-6197-F49E-000000000E02}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311551Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.174{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311550Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.174{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-78D8-6197-F49E-000000000E02}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311549Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:44.160{CBEA6AB7-78D8-6197-F49E-000000000E02}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001122031Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:45.953{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A88B699E611DA4194AF00CA90CB88C,SHA256=1C0001B6B2882B1E0E973DA3C7197EC1F6F99E5035DBD0834514631D6B80B774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311587Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.942{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-78D9-6197-F79E-000000000E02}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311586Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.942{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311585Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.942{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311584Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.942{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311583Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.942{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-78D9-6197-F79E-000000000E02}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311582Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.942{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311581Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.942{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-78D9-6197-F79E-000000000E02}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311580Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.927{CBEA6AB7-78D9-6197-F79E-000000000E02}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311579Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.726{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=073C1BB86A433D770647AE7907D5BE55,SHA256=804741CC16C555407EB801DA6A68484BEA24BF2FD8D0F57755CC52A3DEE3E16F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311578Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.311{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-78D9-6197-F69E-000000000E02}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311577Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.311{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311576Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.311{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311575Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.311{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311574Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.311{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311573Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.311{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-78D9-6197-F69E-000000000E02}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311572Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.311{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-78D9-6197-F69E-000000000E02}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311571Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.307{CBEA6AB7-78D9-6197-F69E-000000000E02}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311570Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.258{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E73DFBA59363EEB6654F60994470E8,SHA256=754E18556474FC9E215AE65F3E9B1476119E58D0D7B02AD8F28A07FA17F37B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122032Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:46.971{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FAD5D9FCD43EA32767DEA477E72D47,SHA256=66E53B53420B07210FEF3F1FE9266CE7C4443021BA4295E7229688EA5BA037DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311598Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.943{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D1DD25460DDDE27F3B414AFD60043F5,SHA256=202605B3F764D36165827E9C97D7C036014AB17847346868DC805B798853050A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311597Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.544{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-78DA-6197-F89E-000000000E02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311596Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.544{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311595Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.544{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311594Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.544{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311593Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.544{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311592Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.544{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-78DA-6197-F89E-000000000E02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311591Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.544{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-78DA-6197-F89E-000000000E02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311590Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.530{CBEA6AB7-78DA-6197-F89E-000000000E02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017311589Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.260{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D474FE675916C1A523C35D26569DA77,SHA256=2D8511D07EB7716F1BD078B8AC1F57250D1D73B1B20965EA1F2D0A98EC86D484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311588Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:46.175{CBEA6AB7-78D9-6197-F79E-000000000E02}65806996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001122035Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:47.986{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95897B3BB1F1B31C53243E5F64097656,SHA256=0A8D5F5EC33902839F680DD7F22E37D6522F3F82B7EC280500A0DEA14D1C3514,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311611Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:43.740{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60169-false10.0.1.12-8000- 23542300x800000000000000017311610Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.574{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311609Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.374{CBEA6AB7-78DB-6197-F99E-000000000E02}23567192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017311608Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.290{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18303C2F260FB5D6C452B9BBC958E7B1,SHA256=9262BA91AAF37D3CED51537639C63F059E4F56239479B063ED02D86C51E35423,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122034Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:05.248{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001122033Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:04.530{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43498-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311607Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.258{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=F0E290453C0E9FEFDAB8C8B94DF88C4E,SHA256=A6E1AAB1064C6D23525FB51702583FF84B767B574845454F054333B84AA2E663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017311606Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.143{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-78DB-6197-F99E-000000000E02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311605Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.143{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311604Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.127{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311603Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.127{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311602Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.127{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311601Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.127{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-78DB-6197-F99E-000000000E02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017311600Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.127{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-78DB-6197-F99E-000000000E02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017311599Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:47.128{CBEA6AB7-78DB-6197-F99E-000000000E02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017311614Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:45.108{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60170-false10.0.1.12-8089- 23542300x800000000000000017311613Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:48.307{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4E2EE78166084101315426B78D6DE1,SHA256=DF7E507FEF94878ACA3E95AAC10AC6FF60C58431F6323E3F64978CF56B9E5656,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122037Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:06.642{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-48382-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001122036Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:06.515{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-48098-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017311612Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:48.142{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89886AC9D809EB7277345571EC7A30A3,SHA256=39C39CB1A4DA65633F6C48C54075A7172C12EC1652CF77B7BB515B26A8E8E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311615Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:49.309{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400EE85B5B395BCA2CD6E6DC89DD3A43,SHA256=6649B2C91DB1A257092851C1C0CF43A8AE2F39932B4694E6D7CDD738041A34A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122038Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:49.001{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234B59B4A38AB711B89FF867379BACFA,SHA256=EF38F6A38E8514118074045B8B0085B89875928C4B502A2E049D8CBB4610579B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311616Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:50.324{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12665FE05D58409275C2CB426118A961,SHA256=48CDA6FB9F63298C1F18C5DE709882B999B233D9E45DA07F867753A52F0731E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122039Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:50.031{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537B77584ED2BD29C7E785BBEBCAC128,SHA256=4EC8AC129C0D69CED3F7CDDAF67BA9BE2FAF43CBBE965AA5A6F99E1682829666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311617Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:51.338{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F6163B3123C7914525CE9C23CD56E2,SHA256=06E707DD3CA404F496503D0DB2451F09F900427192F0E81715FE0DA4E9654C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122040Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:51.050{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409D71F39C133500DECD3B6CEDCC8981,SHA256=77C0F7EDD6EC81CC4F1D2131B12D5A6EB36A338E8CCDC70A34EC50193D29ADFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311618Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:52.353{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099B55A7FFF6EFF57AC5C534B3D40678,SHA256=F3C43245DDB331D47B99082195A43DCEC7220245CA747681572C1350E58791D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122043Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:11.126{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001122042Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:52.084{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA56ED94F895CA67BD47879F956B69F,SHA256=A188630A2A6287EB80D4449C947CD6314A43F7FB54D47DFF76666DC5079EC919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122041Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:52.051{068A336D-6CBE-6192-9900-000000000F02}3876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311619Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:53.368{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3CBCCF11AAD3EFAEA63D23FE1A0FE66,SHA256=E05D5896605F040CEEE3C8648B7E06893B3D0CD62B5B95B957FD30518CC89609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122045Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:12.107{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001122044Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:53.130{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3814129E74F36EA257E8E452DD703A9,SHA256=D86F2D4482C42D996E88D08A77862F79131D200332B89563BBDC159DC7D3C14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311621Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:54.383{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0352C1C9B01576C5E475D32B0EFA26,SHA256=11D587C5CEBCEDD8D65BA72B60477347E2D03CB6C8E6398DEDB52FDA915349BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122046Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:54.183{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516D2D948C5616CFF34FB05FC378FF9C,SHA256=6174CFF03FE782C133B98344DA6F049C012B75FFEDC63F0AAF2CCEABDAC676F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311620Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:49.703{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60171-false10.0.1.12-8000- 23542300x800000000000000017311623Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:55.401{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4F7C81287AF092CC3C85606398CB72,SHA256=019F2BCE6EF0CC5CA9FEE9C4256BE48DBBED92301B80598B97AD73CA58ECCB39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122047Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:55.213{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07E7BF143328DCCAEFC35B39F3A20B6,SHA256=56FE83BE730EB9351CDBDB494AC9C6C4151DC301167E742EB14C6CE8C2B8360B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311622Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:55.220{CBEA6AB7-6A01-6192-1100-000000000E02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7EB714C55BE1636E37842C9C86DEA572,SHA256=3BBA0A7C4098FD98241471B0C1EDAEBBF1D143E73C8189A8438DDFAA735589A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311626Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:56.450{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF6B1198446E4F21B00982EB30A36F6,SHA256=DD4EDA58FEC41859AE6D77E79FC78DBAFA91FB97C78E3B25AE0373FA5EED2FAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122049Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:15.080{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-58934-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122048Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:56.251{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18339AC582EFB93CF73E0C0CD7D371FA,SHA256=5BB066CCD2D6059CF757868749F6B9BE85B1569C8C203D45FDAD9066191CD033,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311625Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:52.288{CBEA6AB7-69FD-6192-0100-000000000E02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60172-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 354300x800000000000000017311624Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:52.288{CBEA6AB7-69FD-6192-0100-000000000E02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60172-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local445microsoft-ds 23542300x800000000000000017311627Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:57.451{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB46DAEE5162DCF644B069A8829AC65F,SHA256=020C3E583896F9DAF609192137FC7230DCDDC5AD2E1FDAD1874AE1C8E8221D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122050Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:57.265{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A9A05A4129169C2BCE446E0828A275,SHA256=40139778AF3D7CB30976F618BDAD05B930BA07E27AF3C6B528367FDB45C5F747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311628Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:58.465{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7962B4433342A36291805E35ED84E997,SHA256=568BF0D797842142EE7B855A07B3B6AB5293C22C8D45DBB510EA8FFFD40F5B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122053Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:16.995{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-34416-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001122052Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:16.224{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001122051Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:58.280{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA75FFD7CD2F9C5F6324C8D75ADFF86,SHA256=26E6E690B55C9CBE44B1DBF1BF576EEA73A96317DCB332A510FD4E3555D76576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311629Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:59.481{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C149E1DBC772ACEE00686E776A80E965,SHA256=6B3802A7894E60287F1CE16FE68D089D16EEA5734A05A6EB652C7020106DFD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122054Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:13:59.280{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1BF8E97BADEBBF642F96CACB5B893D,SHA256=1229094826A28B25933E14AE64CB2594057712A3F6F35A675FA819EB02C22493,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122057Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:19.094{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-47528-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122056Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:00.284{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FC0D6744E1708D53063AFB2D5B9C38,SHA256=6806D1BCBD4BAA1447A7209C1B88E4D000EADAB40954A76B6B59E47171B72AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311631Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:00.498{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39C2630085A8D7834E45AD5CE373EA5,SHA256=400D2892D6DC3B4F0923A1F7293BC174EC37AD0CD3A26BE5EE1D6180604A8999,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311630Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:55.731{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60173-false10.0.1.12-8000- 23542300x80000000000000001122055Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:00.270{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211115141851-5377MD5=7D5F4D75B6205BAE0B0CD245353355AE,SHA256=FF29CB026251AB2F621324A386EBB740C0EEF4A7746CD7FA9FAF12CBD8E709CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122059Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:01.327{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31233D2EDD18AE0D730F038268364372,SHA256=265DE68E5F4ABBA2E9BD79593DE386DDA8EA785D36CEE2D01A1E96671C87F950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311632Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:01.516{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517AA50F2598FD03D66F0F177C1C7FC7,SHA256=6808DBDDD361D448CEA627DA99DDB54FFBC685445A9D6F751F82AAEC4361C606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122058Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:01.267{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211115141847-5378MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311633Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:02.516{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E77EB1855A5E0E87FAAE101D6B5F13C,SHA256=27883D6E6D03202378E5549CB711A839C93A297BE9CE1AD6D43666C87F8DCD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122061Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:21.306{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001122060Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:02.347{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CFC484B2CC1FBFDF3C7B8EEBF6C266,SHA256=97DF4A36BBE5F265FCFA846DE89713D8C31887D3F79B183510B6A1C2DBA5BBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311635Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:03.530{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B672AA9E8D61E8967ED7A29432075F4,SHA256=DE8057C4E07EB20147397F2D9BFB1E694329A1D2825B5ACED0947DDB9BB31287,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122063Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:21.326{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse136.25.184.139136-25-184-139.cab.webpass.net62403-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122062Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:03.357{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D4F073B85B56F09B3ABBB1DECFAD28,SHA256=E399EC5B3889F0D267F88AFBD083B0B95EFAD4FC193EAC8693547D515637470F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311634Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:13:59.532{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.141.87.27-36320-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017311636Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:04.547{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC9E8D250D4BEF985653F15E9A470B8,SHA256=2ECA87FEFE46C5BA85741DF870CE0444C82F8D52FDE61A67782FEF0EAB6D7F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122064Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:04.460{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D15042EF588C836553FA453DB980F98,SHA256=997B9C8F0C98A32B64F2FE58DBA766E73D0750A7A67BC28B48EDAA57E8C4044F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122065Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:05.507{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEED4170FEF63E53BFFC6918AEA8413,SHA256=1A8F543C8F70D9BB63060C4D8EEDB22CB94BA72D8B3DDE007EFE572A5B613DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311638Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:05.549{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC30742193B99BD3E201D594C862E36,SHA256=CAF46D36C23F0FA02DD7B28D0D9126CC4D23F714CFF363E7729309071EE189B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311637Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:01.680{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60174-false10.0.1.12-8000- 354300x80000000000000001122067Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:24.849{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-54922-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122066Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:06.539{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3681876858161785CB8A386D535672E,SHA256=B44F3DAFFB728E3EC38A08CC481D118DB7B54B3FC8CC99A66BC286DD0156EA05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311639Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:06.550{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D942272A75983B391D54E0C02ED1763,SHA256=7249DBC0047AD1FD7F7A684D29145BA019A2A8BDD7FDD7507CB220997207D4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122068Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:07.759{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAC9A22FA14996C995BC49D06FA9EF6,SHA256=5870FD593C1D8CFA3788BBC64114B2E8D757697AAAA222E4E992D6B35781B2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311640Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:07.580{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6D8A763176CF24B540BC430DE3A6D6,SHA256=1790016BDF07DC8BF96D535BDAB1C81C5D92CDD5197F0AB1C208CD62BC2B3D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122069Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:08.808{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C525C96DAEECD02B504B6FFDA9779F34,SHA256=8765E8C4B6425AD88D073551B0BD0A5A83689518F2EF4AE82C69CAC078009F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311641Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:08.596{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD04DD26082781EDD15213DC6964711,SHA256=CA4437ADD3D50DEAF5FBA1D3FCEE4BCFB1F34B7E9DEE38E58CDAC4E8E50AC3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122072Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:09.858{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD9D26A3A1ED93BB51AF16EDB555F5C,SHA256=2D16EA9F7A51E4E2124B1EED22F50C8DF2210846656CF2B943F1624515D867FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311642Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:09.615{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E146A6974B3EEB931461AA38AE8049F7,SHA256=135C3A1CCCA3E1032510FB4318CE6318B57688D67EDA3C6B1DF5A92E5FE8F0FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122071Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:09.823{068A336D-6C46-6192-1200-000000000F02}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1BDB89601F017D29A55DFA1D86374C45,SHA256=52EADC3A1D5D12E239F3CBED043787BAE06EC376E769B2F4F9F69B0433C29513,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122070Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:27.169{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001122074Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:10.957{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5B91A40F37997A40D3F5C618193F59,SHA256=6E8ABBF0C8AB8B97DFABFCC0B236AC9C938456A38141E23346A67EF25D791BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311643Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:10.645{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2A126EEAA50FAADFA4E3B3C30A509A,SHA256=AC09D42E08D6BB37C9C57FB2659D1FF656ACBECF3D495E2D1E395134BE065BBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122073Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:28.745{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-40892-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001122076Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:11.975{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C079A85E80F9859FE6BB3B22898624,SHA256=F8894746C68D144DA02A2F0AFA016CA544DA39E9D31EE1F9F26243C66CEDB478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311645Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:11.695{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479582297677547D10B03CB896D2F122,SHA256=2C62D5773CEBC153B84ABABD9B13E667A98AABE87B0F2612E6D58E3D73CD60A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122075Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:29.022{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.114-57721-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000017311644Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:07.627{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60175-false10.0.1.12-8000- 23542300x800000000000000017311646Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:12.729{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6544BF9508678235DBE2A5B4DBDF445E,SHA256=51A259B270D904A973A0FD201A128B72C5C471D3F9B549F87AA081D23E9DD2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311647Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:13.745{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8C37F4D4DC325C965D86C65166C505,SHA256=69B7988FAD91215F28F5E0F24AF45BAFE026208D9D545498B1EE2B3A0175772F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122077Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:13.036{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEB027F4BFA32919A93108F672B2C08,SHA256=256201D663F28618DA738AB8C087D9E1A2D77AEEA754064817AAA6F234AB3275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311649Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:14.760{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6597083BC6D422F3DCF70B522C86B5D,SHA256=3B785878D37BB0844A6421017625E439156864655003DCDC07E1B9C12FBDAFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001122079Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:33.198{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001122078Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:14.057{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A814C8923F3650EEC9D4F74CD8DCCA,SHA256=E56BA3987985041F29F8293FFECE23EE7C734CCF8BCE031AB1289871656FC904,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000017311648Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:14:14.113{CBEA6AB7-6A01-6192-1000-000000000E02}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7dd2e-0x33fc83a8) 23542300x800000000000000017311650Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:15.760{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA2AB0EAA89B21FD344858346871C87,SHA256=019F979DB493820AB72435E5890D2F201146B4B6C6BAC8F5857069B42C91D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122080Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:15.079{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3030B514BCCCFA64662A97BF9484C716,SHA256=0DD1DF84F8661F6CD8D5F3B76E288C154D00D4E56FB4E1DDDC57AE8D3B9DA7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311655Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:16.776{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAEF1DDDCBA551FCBEF50670500A212,SHA256=E5248EA583B6B03F27240998C8A322327BFC88E8BAB07D226E26402D9AD699EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122081Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:16.094{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD61E581182BCEDB6A13BA561430FABB,SHA256=CF746E0A214B22FF07B17C3479547CC89FD8F3327A284A082590C1024E57FF2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017311654Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:12.940{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.82.77.234scanner.openportstats.com58525-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017311653Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:12.779{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60176-false10.0.1.12-8000- 23542300x800000000000000017311652Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:16.476{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF773F6760231A1E6828A0F4A864A24F,SHA256=4A4B771CB8B7847AE954BA6B8870A7DAB6EDB44DDA5547B80C79A9E1B7FDA85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311651Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:16.476{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D24882EACA87096D8C27C71B02D313D4,SHA256=AEAC4AFCE0234640E1204D958AA5CF8FA0A554287CD71AB5C1E23AB9139A04B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311656Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:14:17.793{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1D71A32C4C01B8B3CCBD62F3B890C2,SHA256=20A8CBC0FC8B138CA32F81951229E0E73CD10167132CDCC0D2301D6BAB5BFEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122082Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:17.124{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C415E1F8F321613F2F0B0DD726F3478,SHA256=58A864A695C00291780EFCCE530ADE9F6D12CEBCB0EC062A5D906D81CACAB667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001122083Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:14:18.139{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C864FA25195DD45DB766CC446CD37F,SHA256=DA2E303AA9FAA00088A62D09FBF28B3123090EB68EAAD4AA929D9D8353C5ACA4,IMPHASH=00000000000000000000000000000000falsetrue